8938cd7a-2d47-4466-ae6a-af1aa5da358eCoalfire has found that many SOC 2 clients struggle with addressing COSO Principle 8 (fraud risk considerations) because they innately think only about financial fraud risks. Many clients do not understand that fraud risks depend on the nature of the business and the environment in which the business operates and as such they do not extend their paradigm to consider non-financial fraud risks.
]]>Thu, 12 Sep 2019 20:19:05 GMTab745894-bfce-4ccd-b0a5-0249ff61abb2It’s been five years since the PCI Council released the first “Best Practices for Maintaining PCI DSS Compliance” guidance document in August 2014. Since then, many prominent payment data breaches have occurred, with the finger often pointing to lapses in the affected organization’s compliance program for the PCI DSS.
]]>Mon, 26 Aug 2019 21:03:38 GMT805c1785-8984-40a6-a4af-68d92f498f49Finding new bugs and exploiting them can be exciting and fun for a penetration tester. I was ecstatic to find my first two zero-days, and I used them to break a system from no access to root. This was a good day for me – but the story behind the story provides some real lessons enterprises can apply to their security programs.
]]>Wed, 21 Aug 2019 19:13:23 GMT33ae495f-f483-4d70-bb4a-9b7123456b84As ASVs, a lot of what we do is shrouded in mystery and danger (well, at least the former of those two). Today, we would like to take a moment to let you in on some of the processes we use to deal with all those disputes you might have to submit.
]]>Wed, 31 Jul 2019 23:00:09 GMTc03f8cb5-51b2-4eb4-bab5-76d664fc0672The National Institute of Standards and Technology (NIST) published an updated guide (Special Publication 800-63b) for Digital Identity Guidance in June 2017. This is a comprehensive and holistic guide to authentication processes, which includes choices of authenticators that may be used at various Authenticator Assurance Levels (AALs). It provides recommendations on the lifecycle of authenticators, including revocation in the event of loss or theft, complexity requirements, and authenticator expirations.
]]>Wed, 31 Jul 2019 21:42:12 GMT754eb1f8-3031-4716-9b7f-4f63e6329b72PCI DSS 4.0 is currently in its request for comments (RFC) process, where the industry can provide comments and feedback to help shape the next iteration. This process is initially open to the participating organizations – members that help steer and inform the PCI SSC based on their experiences. The RFC period for PCI DSS 4.0 ends in November 2019, and the council hopes to release PCI DSS 4.0 toward the end of 2020.
]]>Tue, 02 Jul 2019 20:16:00 GMT19c4fb20-8d19-4394-a9de-897198e2f081Data governance is something your organization has likely considered, put into action, and implemented. The question is, to what degree is the data actually being governed – or not?
]]>Thu, 20 Jun 2019 15:48:11 GMTcbe7617f-55c0-4257-b312-f05f448d22b5The HITRUST 2019 conference took place last month in Dallas, Texas, and covered important topics such as risk management, compliance, third-party assurance, cybersecurity, medical devices, and the Internet of Things (IoT). As speakers and sponsors, we saw much enthusiasm about HITRUST Common Security Framework (CSF) validation and certification outside of the healthcare industry.
]]>Wed, 19 Jun 2019 20:44:58 GMTe023b13f-cfe5-4d6b-90cc-28c5066f1a43As a penetration tester at Coalfire Labs, I frequently use exploitation frameworks such as Metasploit or PowerShell Empire to perform post-exploitation actions on compromised endpoints. While anti-virus (AV) bypass and detection avoidance is often trivial in all but the most mature environments, detections from AV have caused me to look toward custom tooling to mitigate the risk of being detected by both traditional AV as well as security operations teams relying on network indicators. Over the past year I’ve been slowly developing my own tooling to deal with these challenges.
]]>Wed, 19 Jun 2019 19:31:19 GMTb6395d3f-f1c9-4052-9eb5-2affcb53d00dFuzzing is a software testing methodology that can be used from either a black or white box perspective and predominantly consists of providing deliberately malformed inputs to an application to identify errors such as unhandled exceptions, memory spikes, thread hangs, read access violations or buffer overruns that could lead to further compromise of a system.
]]>Tue, 04 Jun 2019 04:04:04 GMT2568dab9-1c02-4c88-80de-f3a2c907e63dHave a checklist of tasks you perform every penetration test, such as SSH bruteforcing or port mapping? Automate it with Python and Metasploit! Unfortunately, there hasn’t been a working, full-featured Python library for making these tasks easy for many years now. This changes today.
]]>Mon, 20 May 2019 18:17:41 GMT8b77938d-0d59-4f6a-83d1-76e1653ae244What is cloud computing, and why is its increased use getting so much attention? In my view, cloud computing is just the latest iteration of what started back in the days of the IBM service bureaus of the 1960s and ‘70s. Back then, only a handful of organizations had the resources to own and operate IBM mainframe computers. Those that did eventually realized they were only using a fraction of these computers’ capacity; and so, they came up with a novel approach – rent computing time to other organizations that couldn’t afford to own a mainframe themselves but could take advantage of the computing power they offered. This was easily done given the security model and ability to partition memory and processing built into the mainframe. Voila! Cloud computing was born!
]]>Thu, 02 May 2019 20:58:15 GMTe9cd5d5c-75ff-461f-aecf-095aef79b576After I graduated from high school, I knew I wanted to do something in computers and IT, but I did not know exactly what – the IT help desk route, databases and database management, programming and software development, or something else perhaps? I knew one thing though – I did not want to be in a job where I was going through the same monotonous task(s) day after day, sitting in a cubicle and not talking to or interacting with anyone. I wanted a job that was dynamic, exciting, and brought about new challenges and opportunities for growth every day.
]]>Wed, 24 Apr 2019 17:46:00 GMTbef75d4c-3093-4820-8c4e-db9dba599104The Healthcare and Public Health Sector Coordinating Council (HSCC) conducted their biannual Joint Cybersecurity Working Group (JCWG) All-Hands Meeting on April 3-4, 2019. As a member of HSCC, Coalfire participated in the JCWG meeting with other security leaders from across the healthcare industry and was able to take part in their cybersecurity disaster preparedness exercise. The meeting is designated as a Critical Infrastructure Partnership Advisory Council (CIPAC) meeting under the authority of the Department of Homeland Security.
]]>Thu, 18 Apr 2019 16:09:01 GMT0390bf8c-5165-4075-ad51-07ca41b40defSome things work so well together that even suggesting they don’t now seems almost ridiculous. But I wonder, who were the pioneers that fought back when questioned about the jelly on the PB? The savory with the sweet. The steak wrapped in cheese . . . those crazy hipsters spreading avocado on toast. Yet, now these are the norm, and so it’s time to embrace yet another: Payments and the Cloud. My teams work with some of the biggest payment processors in the world, and for years we saw reluctance, cloud inertia, and concerns over security and compliance. Some of these fears were reasonable at the time, such as concerns over outages and uptime – concerns that are reasonable when stepping into any commercial outsource-type of relationship.
]]>Wed, 17 Apr 2019 21:39:53 GMT6f79dd8d-cd25-4eac-815e-c80c50784418Intel Active Management Technology (AMT) is a feature provided by Intel for remote administration. If you happen to have a corporate laptop, odds are you too have AMT built into your system. To a sysadmin, AMT eases access to machines for the sake of assisting employees with technical issues, even if the hard drive has failed or been affected by ransomware. This is due primarily to the fact that AMT does not require a functioning operating system for accessibility. Its configuration and operating environment reside completely within its own dedicated hardware!
]]>Tue, 09 Apr 2019 22:39:52 GMT73ebc32e-ca99-4411-8d69-c74491a75b4eAs the end of another busy tax season approaches, it is important for accounting firms to remember their obligations related to data security. Accounting firms maintain a significant amount of data on behalf of their own employees and clients. These firms house financial records, tax information, corporate intellectual property, legal documents, healthcare records, and/or other privacy information, all of which is valuable to cybercriminals. This data can be used for ransom, filing fraudulent tax returns, or sold on the dark web. Should this occur, firms could face a loss of reputation, clients, and money. In the months leading up to April, the number of client engagements (and data) increases significantly, in turn, increasing risk.
]]>Thu, 04 Apr 2019 18:36:17 GMT23c3221b-8b9f-4248-9cf6-6355c3da74b2As you may be aware by now (considering previous blog posts, ongoing walk-through webinars, and our press release), we released Coalfire’s brand new vulnerability scanning platform, CoalfireOne Scans, this morning. All of us here at the CoalfireOne Scanning Services Team are truly excited to see its many improvements around overall user experience, particularly the significantly reduced time spent on dispute cycles and the ability to create custom reporting. The new platform, which provides our PCI Approved Scanning Vendor (ASV) service featuring internal and external scans while enabling easy collaboration and project management, will provide users with smooth navigation, a robust database to ensure fast processing speeds, and scalable IP scanning capabilities.
]]>Wed, 03 Apr 2019 21:56:00 GMT8ec44a49-d4ca-4dad-bdf3-1fe966bc677aThe benefits of undergoing mandatory or voluntary cybersecurity compliance assessments are well known throughout the cybersecurity industry. These benefits include improving the security posture of the organization, enabling sales to move faster through the sales lifecycle, addressing regulatory compliance requirements, and many more. Despite the benefits, compliance assessments can be labor intensive and painful. This pain is often due to the complexities associated with understanding the security posture of the environment being assessed as well as collecting this information in a timely and efficient manner. Amazon Web Services (AWS) offers a number of services that provide flexibility, scalability, and reliability in the cloud. AWS also offers services to assist cybersecurity professionals with understanding their security environment and demonstrating compliance to auditors to ease the pain of cybersecurity assessments. One of those services is AWS Trusted Advisor, which provides real-time best practice guidance to help provision, monitor, and maintain AWS resources. These best practice recommendations span five categories: cost optimization, performance, security, fault tolerance, and service limits.
]]>Thu, 28 Mar 2019 20:15:38 GMT162569c7-e162-4fef-a045-80f6759efd6fPassword hashes are an everyday part of life in Coalfire Labs. Barring any other low-hanging fruit, it’s not uncommon for a penetration test to hinge on recovering a plaintext password from one of these hashes. Whether it’s NTLM hashes from Active Directory, NetNTLMv2 from Responder, WPA2 PMK from a wireless penetration test, or hundreds of other possible sources of hashes, recovering the original password has been a challenge for hackers for decades.
]]>Thu, 21 Mar 2019 17:10:21 GMT99e16d53-e2f1-4045-b232-2a04f60d3578Last week, the 2019 RSA Conference was held with typical energy and exuberance in San Francisco. One of the largest cybersecurity industry conferences, it had over 700 exhibiting vendors (not including another 50 in their Early Stage Expo area) and over 500 sessions covering a wide range of current topics in the cybersecurity field. Keynote speakers included industry leaders and government officials such as Christopher Wray, Director of the FBI, and General Paul Nakasone, Commander of US Cyber Command and Director of the NSA.
]]>Mon, 18 Mar 2019 22:26:23 GMT90070b9b-4a41-4239-b44c-5289bb244b8bCyber breaches aren’t the only hot topic in the cyber media—sometimes the attack tactics themselves can claim the limelight when a significant breach gains media attention. One tactic getting some attention in the news is “password spraying.” We offer an overview of what it is, how to avoid it, and what to do if you think you were affected by an attack below; but note that a strong overall cybersecurity posture and adherence to best practices are always the best defense across the range of attack vectors, whether they are in the news or not!
]]>Fri, 15 Mar 2019 17:56:12 GMT57fd7cef-85d9-444b-b702-654c5838b8eePart of the glamorous life of an ASV involves a rigorous Quality Assurance program to ensure that we are the best ASV's we can possibly be. Some of those efforts are not as readily apparent to our clients as others; but on some occasions, we like to share when our work directly benefits those who trust Coalfire to help reduce their risk and simplify compliance.
]]>Thu, 14 Mar 2019 21:22:26 GMTc4197686-8f28-42ed-8961-3a7fd5c964faGathering evidence, applying patches, and configuring your systems in preparation for submitting your vulnerability disputes can be a nerve-wracking and daunting task. To better enhance your understanding of the Approved Scanning Vendor (ASV) process, I’ve outlined some coping mechanisms and tools to use.
]]>Fri, 22 Feb 2019 17:53:44 GMTac06b34d-ec1a-49c5-b13c-c683481cc539Today, the Internet of Things (IoT) means that billions of devices are connected to the Internet. People and organizations are looking to connect devices more frequently for automation, simplification, and the feature advantages the IoT delivers. Items such as smoke detectors, glasses, watches, ovens, refrigerators, garage doors, and more are connecting to the Internet, with most of the associated data saved to the Cloud.
]]>Thu, 21 Feb 2019 19:35:38 GMT554fc320-7f1e-4202-a975-e4e64968dba2One of the biggest challenges our customers face when pursuing Federal Risk and Authorization Management Program (FedRAMP) compliance is the federal mandate that Federal Information Processing Standards (FIPS) 140-2 validated cryptographic modules must be consistently applied where cryptography is required. Where is cryptography required you ask?
]]>Tue, 19 Feb 2019 19:46:08 GMTcee88358-e4d8-4c07-9514-b25da105278dIn the information security community, a proactive approach to incident response is always considered best practice. Reacting in the moment can drain resources and often, the full impact of the incident may take weeks or even months to remediate. Despite this, making a case to management for the value of a proactive approach can be difficult. Buying a new tool or service provides quantifiable efficiency returns; but how do you present your case when the return on investment (ROI) for incident response isn’t as measurable?
]]>Fri, 15 Feb 2019 18:36:45 GMT698f36df-3c19-4e6c-8c91-3963884d3859When I have conversations with hospitals and other organizations subject to HIPAA, one of the first questions asked is “if I have a data breach, will OCR fine me, and if so, how much?” Many organizations decide to gamble: they opt to save time and money by not implementing a robust information risk and compliance program on the chance that the Office for Civil Rights (OCR) won’t fine them in the event of a breach. Although the OCR is the regulatory agency that enforces HIPAA, their fines are only one potential expense an organization incurs for a data breach.
]]>Tue, 12 Feb 2019 21:44:54 GMT23aeaf5c-371a-49b4-b09d-0133a884cfc1I was recently asked to be a speaker on my first “Women in Cybersecurity” panel. I accepted, despite my admitted fear of speaking in public, on a stage, dishing honesty to be judged by strangers. But, I did it because I know that it’ll make me a better speaker and a better leader – the more practice, the easier it’ll get, right?
]]>Mon, 11 Feb 2019 18:02:49 GMT05cfbde0-3981-4ce6-9067-800235f3205cYour software vendor is asleep at the wheel and your devs still need that legacy daemon.
]]>Mon, 04 Feb 2019 21:17:49 GMT4f9886e9-7806-48be-8e71-9155d287aa0fAs you may know, performing vulnerability scans is a requirement for PCI DSS compliance. One of those specific requirements, described in section 11.2.2, states that quarterly external scanning must be done by a qualified Approved Scanning Vendor. Coalfire just so happens to be an ASV, so if you need these scans we would happily oblige!
]]>Wed, 30 Jan 2019 19:20:31 GMTce657273-d64c-4aea-a00e-1cd46936846fIn August 2018, California issued a revised version of a new consumer privacy law—the California Consumer Privacy Act (CCPA). This statute goes into effect on January 1, 2020 and provides broad privacy protections to California consumers. This statute will have wide-ranging effects outside of California because it will apply to organizations that conduct business in California.
]]>Mon, 21 Jan 2019 22:13:58 GMT71bf939e-8f74-4124-9213-0a3ecb96d29eThe Payment Application Data Security Standard (PA-DSS) developed by the Payment Card Industry Security Standards Council (PCI SSC) applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data and/or sensitive authentication data. The list of various payment applications that are currently validated for software vendors is located on the PCI SSC Website.
]]>Mon, 21 Jan 2019 18:33:08 GMTf076940c-3a89-4e93-8c5a-9e62c2614cc9Scan interference is best defined as when traffic from our scanners gets blocked, filtered, dropped, or modified in response to some sort of active protection system not recognizing our traffic. Once our scanners are flagged as an intruder, the client’s environment is no longer accessible, which causes the scan to fail. In order to ensure that reliable scans can be conducted, our scanners must be allowed to perform scanning without this interruption.
]]>Fri, 18 Jan 2019 21:06:36 GMTa5756649-45d4-459d-94e8-138e6629352dPCI-DSS can be challenging to navigate – particularly when it comes to the ASV scanning requirements. While fulfilling the scanning requirement is easy, obtaining a passing attestation report may involve more than simply remediating failed findings. One requirement that we receive many questions about is Special Notes.
]]>Tue, 08 Jan 2019 20:10:21 GMT227a3ca4-cebd-4db1-90ab-d0b699d787a6Hope House of Colorado is metro-Denver’s only resource for providing free self-sufficiency programs to teen moms, including residential, General Educational Development (GED), and college and career programs. Additional supportive services include parenting and healthy relationship classes, life skills workshops, and certified counseling, all designed to prepare young mothers for long-term independence. On December 3, 2018, Coalfire RISE members teamed with Hope House of Colorado to announce a scholarship program to add to Hope House’s programs and advance our mission of giving back to our communities while supporting the development of cybersecurity talent.
]]>Tue, 08 Jan 2019 18:56:44 GMTb1ec3760-9f39-4835-9c71-4de4a44912cdOne aspect of being a penetration tester that is always rewarding is the process of rabbit-holing into an area of interest and letting the data guide me to my destination. Recently, while updating and testing new code on a custom cookie fuzzing tool (Anomalous Cookie – https://github.com/Coalfire-Research/AnomalousCookie.git/), I discovered a XSS (cross-site scripting) vulnerability on EpicGames.com. While it appeared possible to write a good payload (stealing cookies and injecting malicious JavaScript/BeEF hooking), I had no good way to deliver it. Traditional cookie-stuffing (https://en.wikipedia.org/wiki/Cookie_stuffing) might work to drop the rogue cookie onto a target’s machine; but could there be other ways? If not, this would most certainly be classified as 'Self-XSS.'
]]>Fri, 21 Dec 2018 17:42:51 GMTe01041cd-e4e3-4f15-a2d4-f4612a8b085fSecond only to protecting sensitive credit card account information, safeguarding the cardholder’s personal identification number (PIN) is one of the most important tasks for prevention of card-present fraud in retail and banking. With the continued movement toward chip-and-PIN EMV (the technology standard named for Europay, Mastercard, and Visa), it is even more crucial that entities handling PINs protect this information properly in the face of continually evolving threats.
]]>Wed, 19 Dec 2018 21:43:03 GMT43dc776c-6cea-4163-b27c-98a6ee522deaIn March 2011, the PCI SSC released the initial version of the “Protecting Telephone-Based Payments Card Data” Information Supplement as a guide to help assessors assess environments where cardholder data was stored, processed, and/or transmitted over the telephone. It was a pivotal guidance document at the time that set the stage for a broader focus on telephony technologies. As of November 2018, that time has finally arrived. The revised document provides a comprehensive dive into various telephony architectures (specifically VoIP, ISDN, and PSTN) and related people and processes that are required to be considered within scope for PCI DSS compliance.
]]>Mon, 10 Dec 2018 16:38:49 GMT92fe238b-a523-4d62-88c3-57386e0b7abcThis week, news was released regarding a critical security Common Vulnerability and Exposure (CVE) associated with the Kubernetes container software (CVE-2018-1002105). While this is only a reported vulnerability at this stage (and no actual exploits have been reported to date), organizations that have Kubernetes deployed within their environment(s) are strongly advised to treat this matter with high priority.
]]>Fri, 07 Dec 2018 22:37:45 GMTab28fc7b-1d06-42ad-9ca3-c619a01fd673NIST 800-171A introduces a standardized opportunity to perform a more structured and granular level of assessment leveraging the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 framework.
]]>Mon, 26 Nov 2018 23:05:18 GMT752b6e09-ad06-4602-9b1e-2a2e323a8081Many HIPAA covered entities (CEs) and business associates (BAs) may not be meeting the regulatory mandate as defined in §164.308(a)(1)(ii)(A) of the HIPAA Security Rule. This implementation specification requires that healthcare delivery organizations (HDOs) “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
]]>Mon, 26 Nov 2018 17:13:13 GMTf69cdabe-3696-4fc4-a509-7fc98e45445cInformation security incidents can result in reputational damage, financial losses, or a loss of system functionality for organizations at any time. Because threats and attack vectors are growing rapidly, organizations must prepare to respond to incidents in real time. The incident response (IR) process must be able to detect common attack vectors and common misconfigurations that could potentially lead to an incident. Effective IR is vital to the security of any organization and is also a critical process that is evaluated when undergoing the following compliance assessments: FedRAMP, SOC & SSAE 18, ISO, HITRUST, PCI-DSS, among others.
]]>Mon, 22 Oct 2018 17:41:40 GMTebb0fa15-ffbe-4259-aea5-35a4710e23a6The Department of Homeland Security (DHS) charged the Healthcare and Public Health Sector Coordinating Council (HSCC) with serving as a partnership between the private and public healthcare sectors. To that end, two unique councils were formed: The Healthcare and Public Health Government Coordinating Council (HGCC) was established by presidential directive to sustain the essential functions of the nation’s healthcare and public health system; the HSCC is a companion council established by presidential directive as a private sector counterpart with similar mission objectives. A key difference between the two is the HSCC is a purely voluntary organization whose membership is solicited to provide influence and expertise within the healthcare industry.
]]>Thu, 18 Oct 2018 17:15:14 GMT09f3ade0-e827-4459-9be2-12a9d830e991Too busy to attend the PCI Community Meetings this year? Coalfire has you covered with the top 6 things you need to know from the most important annual payments conference in the world.
]]>Fri, 05 Oct 2018 21:24:59 GMT6084de0c-2d0e-4f67-b0c0-a1d4eef37a7eRecently I happened to be in the market for a baby monitor, so I decided to search Amazon for an affordable device that would fit my needs. A search for “baby monitor” within the “electronics” department brought me to the LeFun WiFi Camera. For $39.99 (at the time of my purchase), this seemed like it could be a good deal. Knowing the reputation of Internet of Things (IoT) devices, I was curious about its security. This was addressed in the product description with the guarantee that when I connect to any device, it will be via a “secure and safe network” and will be secured with “financial-level encryption.” It also boasts that they are “CE, FCC, and RoHS certified,” which is good, despite those certifications only dealing with safety and not information security.
]]>Wed, 03 Oct 2018 20:13:57 GMT31e28850-c624-4b50-9d23-7177e547267dRecently, a popular online retailer revealed a month-long data breach. Card-skimming code was found capturing customer credit card data from the payment page of its website and sending that data to what appeared to be a legitimate server (with a similar domain name and a valid HTTPS certificate). The company has not yet determined which customer accounts may have been affected, so the extent of the damage is yet to be determined.
]]>Fri, 28 Sep 2018 16:13:08 GMT66287d33-e84c-45f1-ada1-2a3630f13c77I have been involved in a number of healthcare penetration tests here at Coalfire and in my previous roles. I have hacked electronic medical records, medical devices, and most importantly, humans. From my time as a systems engineer at a medical device and systems vendor to my current role at Coalfire as a penetration tester, I have seen a few healthcare organizations grow from highly insecure to cyber-fortresses. In this blog, I will highlight the most common issues my teammates and I come across while penetration testing healthcare environments.
]]>Tue, 25 Sep 2018 20:31:26 GMTf612c589-b8b1-48f4-983f-d926864dbf79On September 24, I was pleased to represent Coalfire (and private-sector expertise) by attending the kickoff for the Privacy Framework at the Brookings Institute in Washington, D.C. The event was attended by notable leaders in the industry and government: The Departments of Transportation and Commerce, the Information Technology Industry Council, Intel, Citrix, National Telecommunications, and various other notable public and private-sector leaders in the industry. The National Institute of Standards and Technology (NIST) is taking steps toward pulling the various, splintered privacy initiatives in our nation together into a focused approach – and it is very exciting to see.
]]>Tue, 25 Sep 2018 17:48:50 GMT6cfa90d1-7be4-4c6d-ae67-c6e403a7ab65At the SplunkLive! Conference in Washington, D.C., Splunk gave a presentation on Phantom, a Security Orchestration, Automation, and Response (SOAR) system. Splunk acquired Phantom this year for $350 million.
]]>Wed, 12 Sep 2018 21:43:18 GMT68af6e4e-b1dd-4ca3-8954-382b10922a24When I first began working at Coalfire in early 2017, I couldn’t wait to get started pentesting professionally for the first time. When I finally got tasked with my first gig, I dove right in. I was tasked to perform an assessment of the external network. After hitting all known servers and web applications with various scanning tools, I had nothing. For a penetration tester, the assessment does not end here.
]]>Tue, 11 Sep 2018 10:15:03 GMT5402fa63-f330-454c-8cc2-074c38540282While performing a web application penetration test, I stumbled upon a parameter with some base64 encoded data within a POST parameter. Curious as to what it was, I sent it over to Burp decoder.
]]>Tue, 04 Sep 2018 18:34:25 GMT853c4a6e-6358-4cd0-90b4-8e44deabdfb7Slurp is a tool used by information security professionals to enumerate AWS S3 buckets. Slurp takes a domain name (example.com) or wordlist as input and cycles through likely S3 bucket names (example.s3.amazonaws.com) looking for any world-read/writeable buckets. S3 buckets are a great find for offensive security pros because they are commonly misconfigured. This leads to things like the famous RNC Voter Records breach or Verizon’s 2017 breach.
]]>Tue, 28 Aug 2018 19:52:23 GMT4ec82303-beb0-495d-a779-7f9540eee261While performing a routine internal penetration test, I began the assessment by running Responder in analyze mode just to get an idea of what was being sent over broadcast. Much to my surprise, I found that shortly after running it, a hash was captured by Responder’s SMB listener.
]]>Wed, 15 Aug 2018 21:32:02 GMTcbd0424b-229c-41d5-b367-349a5671f621If you want to learn what's up and coming for Google Cloud and make some great connections, Google Cloud NEXT is an informative, lively event to prioritize on your conference calendar. Coalfire attended the recent Google Cloud NEXT '18 conference in San Francisco (July 24-27) and found it to be a good venue to meet existing customers, make new contacts, and attend informative technical sessions. This is the second year for Google Cloud's conference, and it proved to be a platform for many product and feature announcements while conveying a strong security theme. In addition to the many technical talks on security topics, Google Cloud made several important service announcements related to security; this blog post will review a few of the more noteworthy topics.
]]>Thu, 09 Aug 2018 18:57:43 GMT9f6e87cd-df52-4010-89fa-d3c4e32d1de5For those of us charged with managing cyber risk as well as planning and budgeting for cybersecurity, the Gartner “Hype Cycle for Risk Management, 2018” provides some helpful perspectives that are useful in setting both priorities and expectations.
]]>Wed, 08 Aug 2018 19:42:42 GMTbe366e1f-b466-4ac2-917a-9c24c345b7d9In our recent analysis of penetration testing engagements contained in our Penetration Risk Report, we discuss the impact that social engineering, specifically phishing, has on the ability to allow attackers insider access to compromise an organization.
]]>Tue, 17 Jul 2018 16:46:29 GMTa6b8e187-2f1b-41a6-9bb6-0e4536bc1522SOC 2 has seen quite a few changes in the past year in how reports must be presented in the future. The American Institute of Certified Public Accountants (AICPA) replaced the old SSAE 16 standard with SSAE 18, released the 2017 Trust Services Criteria, the new Description Criteria (DC-200), and a new SOC 2 Guide. That’s a lot of change in a small amount of time! Many of these changes will help clarify reports and make SOC examinations stronger; Coalfire is here to help you navigate the changes and understand how it will affect your reporting.
]]>Fri, 13 Jul 2018 16:13:04 GMT02fde8e5-d705-447f-92be-02cc9d069caeOn June 13, 2018, NIST formally released their Special Publication (SP) 800-171A, Assessing Security Requirements Controlled Unclassified Information (CUI).This publication provides organizations with an assessment methodology to evaluate their compliance with the CUI security requirements defined in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which went into effect on December 31, 2017.
]]>Fri, 13 Jul 2018 15:34:28 GMT0a8b831e-81f2-4d45-9cc5-bc8233eb2874In late June, California passed a new consumer privacy law—the California Consumer Privacy Act (CCPA). This statute provides protections to California residents; but it will also have wide-ranging effects outside of California as it will apply to organizations that conduct business in California. The CCPA, which goes into effect on January 1, 2020, will be the broadest privacy law in the United States, granting more protections to personal data than any current privacy statute.
]]>Wed, 11 Jul 2018 18:27:28 GMT1ac4442b-5fa4-4398-97dd-c3f66e424eb6In previous blogs, we’ve discussed some of the struggles organizations have when responding to cyber incidents. For many, it is the recovery aspect, and specifically vendor liability for the data or privacy breach, that poses many questions. In trying to assign liability, the obvious place to start is the contract with the vendor. Generally, most vendor contract language limits liability to some small percentage of the contract value, and most contracts have limited liability clauses that completely remove vendor liability relating to damages even if the vendor is negligent in its implementation of the product or service.
]]>Mon, 09 Jul 2018 22:25:05 GMT5f05112e-d515-42a9-a690-091b62f33078Many Salesforce Independent Software Vendors (ISVs) are interested in pursuing FedRAMP to serve federal customers, but have many questions about the process. The four questions below are the most common questions that Coalfire receives from these ISV partners; we have provided some basic responses to help provide a better understanding of the Salesforce FedRAMP process.
]]>Mon, 09 Jul 2018 16:41:18 GMT7f81b215-a25f-4b68-adc6-94f84c4d16d6One of my Labs colleagues recently published an article on the Coalfire Blog about executing an obfuscated PowerShell payload using Invoke-CradleCrafter. This was very useful, as Windows Defender has upped its game lately and is now blocking Metasploit’s Web Delivery module. I wanted to demonstrate an alternate way to achieve the same goal, without dropping any files on the host system while providing more options depending on what ports can egress the network.
]]>Tue, 26 Jun 2018 20:08:18 GMT0747c7b3-ef88-4abe-abb1-2647cf7ec4e7As part of the ongoing implementation of the Affordable Care Act (ACA), the Centers for Medicare and Medicaid Services (CMS) recently began permitting direct enrollment entities (qualified health plan issuers and web-brokers) to host their own enrollment applications on their websites instead of proxying enrollment interactions to Healthcare.gov. This is an optional program called Enhanced Direct Enrollment (EDE), which will go into effect during the open enrollment period for PY 2019.
]]>Tue, 26 Jun 2018 17:37:32 GMTf2a88897-7f20-4abf-b651-f3b1fa6f7ce2Coalfire published the latest report in its Securealities series, The Penetration Risk Report, and it’s based on findings from Coalfire penetration tests. It includes data drawn from engagements with businesses of all sizes, spanning financial services, retail, healthcare, and technology/cloud service providers. Some findings were contrary to current accepted wisdom on cybersecurity while other findings confirmed long held notions for others.
]]>Mon, 25 Jun 2018 19:21:51 GMTab03f037-eb9b-4c81-82c4-a3bc76ed0442Coalfire was asked to participate on a technical panel about the Internet of Things (IoT) at the Leidos Supplier Innovation & Technology Symposium on June 6. This event is a dynamic day enabling Leidos’ largest suppliers as well as targeted start-ups to showcase their offerings and capabilities to a diverse set of federal leaders and key contractors.
]]>Tue, 12 Jun 2018 19:11:08 GMTcc21d570-d913-4cda-8fac-f5e44f39df80I like to do bug bounties from time to time, mostly when I am sacrificing sleep once the kids are finally out cold. This seemed like a worthy experience to document. Let me just start by saying I don't plan on going into the whole recon bits too deeply here. Maybe I will someday if I ever have enough time to give the topic the justice it deserves.
]]>Mon, 11 Jun 2018 21:32:37 GMTe34f7025-24a7-4327-9d5a-c3669d3110d7Burp Suite is one of my favorite tools for web application testing. The feature set is rich, and anything that it does not do by default can usually be added with an extension. There are a few things, however, that while they exist in Burp Suite, are not completely intuitive. Below are a few pro tips to help you get the most out of your web application tests.
]]>Fri, 08 Jun 2018 19:26:31 GMTbf4dc33a-be25-42dc-91c9-b6c0659cdae0According to the SANS Institute, “Vulnerability management is the process in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management of an organization.”
]]>Thu, 07 Jun 2018 20:54:51 GMTdfe3be84-7177-41a9-8887-feba77f1650cI recently spoke at the Cloud Security Alliance’s Federal Summit on the topic “Continuous Monitoring / Continuous Diagnostics and Mitigation (CDM) Concepts in the Cloud.” As government has moved and will continue to move to the cloud, it is becoming increasingly important to ensure continuous monitoring goals are met in this environment. Specifically, cloud assets can be highly dynamic, lacking persistence, and thus traditional methods for continuous monitoring that work for on-premise solutions don’t always translate to the cloud.
]]>Fri, 01 Jun 2018 19:01:04 GMT8e04da56-5258-4141-b07c-f005badd0f14Have you ever heard the old saying,” The only constant in life is change?” Nothing is truer in the world of penetration testing and information security than the certainty of change. New defenses are always emerging, and the guys and gals in the red team game are always having to evolve our efforts to evade defenses. This week was one of those weeks for me.
]]>Thu, 31 May 2018 21:51:34 GMT860e1a8c-2d9f-4c81-bf09-fbd5ab788fbcDell Foglight for Virtualization is an infrastructure performance monitoring tool that can also be used to manage systems as well. It comes configured with a default username and password of “foglight.”
]]>Wed, 23 May 2018 18:57:04 GMT1e01f48b-9873-4f76-b711-6583f6f788d9Here’s a Burp trick you might not know, which helped find this instance of command execution and lots of SQL injection in other applications. Despite PortSwigger claiming otherwise, Burp does not parse JSON very well, especially nested JSON parameters and values like you see below.
]]>Mon, 21 May 2018 18:21:26 GMT49b688b7-a88b-4c30-ad96-6014bc620cebOn Thursday, May 17, the PCI Security Standards Council (PCI SSC) released an updated version of the PCI DSS standard, primarily to include clarifications and minor revisions around controls that referenced SSL/early TLS. The new version removes notes referring to the effective date of February 1, 2018 for applicable requirements, as this date has passed. Unlike prior PCI DSS version updates, this update does not include any new control requirements. With that in mind, there are some key specifics that are applicable to merchants and service providers.
]]>Fri, 18 May 2018 19:11:32 GMTf614185f-a276-4e5f-9b95-421a7f8ea04fCybersecurity practitioners sometimes forget to define and explain the terms we use during the course of our work. Thus, my colleagues and I have embarked on a series of posts that provide a primer on some of the most important cyber engineering practices. In this post, we will focus on configuration management (CM.
]]>Thu, 17 May 2018 15:56:04 GMT857e41e7-ec7f-4617-bfc7-fef75a879480Within the past year, AWS unveiled what is arguably one of the best programs they have ever offered to non-technical professionals in the AWS Partner Network (APN): the AWS Certified Cloud Practitioner certification. The program, which is especially valuable for those in sales or marketing roles, doesn’t offer any high-tech products or services for selling or marketing AWS. Instead, it offers a learning path and a certification that is intended to provide individuals with the knowledge and skills necessary to effectively demonstrate an overall understanding of the AWS Cloud.
]]>Wed, 16 May 2018 20:36:34 GMT62051770-46da-4bf2-85e7-c89ad5168fe2Anytime I see a file upload form during an application test, my attention is piqued. In a best-case scenario, I can upload a reverse shell in a scripting language available on the webserver. If the application is running in PHP or ASP for example, it becomes quite easy. If I can’t get a backdoor uploaded, I will attempt to try to upload an HTML page to get my own client-side javascript uploaded for XSS attacks.
]]>Wed, 09 May 2018 17:40:57 GMT5ce4063c-7bc2-4728-80bd-8aa364aec9fcEnterprises are increasingly pursuing the business advantages of migrating technology platforms and services into the cloud environment leveraging one or more of the three main cloud service areas – Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). These advantages include but are not limited to rapid information system deployment, significantly reduced operating costs, massive economies of scale, processing speed, and agility. However, subscription to these services often imply security and compliance challenges for enterprises who are often unprepared to resolve them.
]]>Wed, 02 May 2018 18:27:28 GMTfe8f75c1-9f91-4d8e-8238-5f47a30bbc92I was able to compromise a Chef server on one of my recent engagements. Owning a Chef server means having the keys to the castle. I wasn’t quite sure how to go about using this tool. I’m familiar with Puppet as I’ve spent the majority of my career on the systems side. Having never run into Chef, I needed to put a little time into figuring out the fastest way to use a Chef infrastructure to shell a bunch of sensitive hosts. Here is how I went about it.
]]>Mon, 30 Apr 2018 18:37:28 GMTe4855585-1bc6-4a73-b6e4-bbcd11ac1252RSA 2018 is in the books! The event welcomed 42,000 attendees to San Francisco, including cybersecurity professionals, vendors, media, and analysts. The themes of visibility and transparency repeatedly came up in discussions and presentations as organizations grapple with ever-increasing data flows across multiple technology platforms and cloud ecosystems. Another big topic of interest was the European Union’s upcoming General Data Protection Regulation (GDPR) and how it will affect organizations and their data.
]]>Fri, 27 Apr 2018 18:04:01 GMTea3d60e5-1672-4c46-90c7-3b302ffee045Organizations tracking their PCI compliance are likely aware of the impending June 30, 2018 deadline to disable SSLv3 and early-TLS. This blog post examines the special case of Cloud Service Providers (CSPs) and how their customers should proceed to achieve compliance.
]]>Mon, 23 Apr 2018 19:08:40 GMT25888f3d-218d-4c75-a3bb-80fcebe88be1Cybersecurity is a hot topic for just about everyone: it affects organizations as well as individuals, workers, and citizens. Each of us needs at least a basic understanding of how to safely use and protect the devices and systems that are a part of our day-to-day lives.
]]>Mon, 16 Apr 2018 23:03:24 GMTc6eb1daa-0378-475e-8ba7-7b581cedb698In March 2018, the American Institute of Certified Public Accountants (AICPA) released its highly anticipated new System and Organization Controls 2 (SOC 2) guide, which includes information for the extant (2016) trust services principles and the new (2017) trust services criteria. The following is a summary of some key highlights in the new guide, what changed, and what to expect for future SOC 2 efforts.
]]>Mon, 16 Apr 2018 16:20:32 GMT71bf27e5-14c0-4ee3-b8c2-d909fb9f977eLast month RISE, Coalfire’s association of women in cybersecurity and leadership, welcomed our inaugural guest speaker, Amanda Mesler, General Manager of Microsoft Central and Eastern Europe. I had the great fortune to interview her and lead a discussion with our members.
]]>Mon, 09 Apr 2018 20:43:45 GMTda28a972-d10c-4e79-80d4-f35983770794More and more companies are embracing Cloud computing for the practicality, efficiency, and economy of outsourcing the housing, maintenance, and monitoring of applications and their associated infrastructure to a third-party provider. As the Cloud becomes more the norm than the exception, there is no lack of choices: Providers such as Amazon (AWS), Microsoft, IBM, and countless others are providing a variety of solutions, from e-commerce sites that process payments and credit cards, to developmental networks used to test and configure operational assets.
]]>Wed, 04 Apr 2018 18:23:40 GMTf6746aa8-c154-40e4-848b-cead1ea1fb4dCoalfire has noted a number of leading-edge technological challenges for enterprises managing the rapid pace of innovation while also aiming for PCI compliance. We'd like to review our recent experience and offer suggestions for these comparatively novel situations.
]]>Sun, 01 Apr 2018 19:52:47 GMT7ccaff4c-31a8-4090-8356-36ffed65805eI had the recent opportunity to speak at BSides SLC, held on the Sandy campus of Salt Lake Community College. I tailored my presentation to the student demographic and chose to talk about one of the fundamental concepts that a penetration tester must understand: types of shells. I touched on the differences between simple shell interaction and a full-featured terminal and then launched into a discussion focusing on web shells. Following the theory conversation, I demonstrated how control over a server could be established by exploiting a file inclusion vulnerability and default credentials to deploy two different web shells, each adapted for the particular platform.
]]>Mon, 26 Mar 2018 16:24:58 GMT032c8e5e-7e91-4e02-9e8f-ca2898ff9ee1Poodle is a vulnerability found in late 2014, and it is still occasionally seen during penetration tests. The vulnerability allows an attacker with a man-in-the-middle position to downgrade a secure connection between a client and a server to the vulnerable SSLv3. After the connection is downgraded, the attacker can proceed to perform the padding oracle attack, recover known plaintext, and decrypt the ciphertext.
]]>Thu, 22 Mar 2018 17:56:28 GMT955f0091-8111-4c65-b1dc-837db0cb3187Last week, the Institute of Internal Auditors (IIA) held its 2018 Global Audit Management Conference at the Aria Resort in Las Vegas. With over 1,700 attendees, this was the most well-attended event in the history of the conference. Coalfire was one of the sponsors, and we were delighted to meet with so many forward-thinking audit executives and practitioners.
]]>Wed, 21 Mar 2018 22:15:37 GMTc31a9772-0fe1-407b-a874-d2626fe06cc3To break the ice with Active Directory and shorten the cycles penetration testers spend on cracking passwords, I developed Icebreaker, a tool that automates network attacks against Active Directory and provides plaintext credentials. Icebreaker performs five network attacks in order...
]]>Fri, 16 Mar 2018 18:15:12 GMT7b0a8501-6f65-4049-92e4-61443279685eAs a member of Coalfire’s Cyber Engineering team, I frequently get questions about vulnerability Deviation Requests (DRs) from Cloud Service Providers (CSPs) seeking Federal Risk and Authorization Management Program (FedRAMP) authorizations. In this post, I’ll try to answer questions we frequently encounter about Deviation Requests and provide some useful resource links.
]]>Mon, 12 Mar 2018 19:02:55 GMTff754d58-d1c1-4d0c-9076-c48735f1d5a0The HITRUST TPA Summit brought together experts representing customers, vendors, and assessor firms in various aspects of risk management to share best practices, lessons learned and effective third-party risk management strategies leveraging the HITRUST CSF Assurance Program and HITRUST Assessment Exchange. Coalfire sent a team of healthcare experts to the Chicago event to meet with our HITRUST clients and folks from organizations who are thinking about a HITRUST journey. We were also there to find out what’s next for the HITRUST CSF, and we found out that the future is exciting!
]]>Wed, 07 Mar 2018 00:28:21 GMTb475aba3-1ce7-4ba1-a3b2-73a807ef7554At Coalfire, we field a lot of questions from government contractors about compliance with National Institute of Science and Technology (NIST) Special Publication (SP) 800-171. We also address requests for help with “DFARS 7012,” which is a commonly used shorthand for Defense Acquisition Regulation Supplement (DFARS) 252.204-7012. The information below should help to clarify some common questions around the purpose of each and links between them.
]]>Tue, 06 Mar 2018 00:08:31 GMT6d3c8954-271d-4186-978c-86658840a02dThe Internet of Things (IoT) has been widely regarded as representing a significant cybersecurity risk, which will only grow as connected devices continue to proliferate. As an important step in addressing these concerns, the Interagency International Cybersecurity Standardization Working Group (IICS WG) has developed a draft National Institute of Standards and Technology Interagency Report (NISTIR) 8200, Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT). The report’s intent is to inform and enable policymakers, managers, and standards participants to seek timely development and use of cybersecurity standards in IoT components, systems, and services.
]]>Mon, 05 Mar 2018 18:23:54 GMT1331e2f9-0f06-408e-b068-861cc219997aOn February 21, the U.S. Securities and Exchange Commission (SEC) issued the long overdue cybersecurity interpretive guidance to address the methods and timing of cybersecurity risks and incidents disclosures. To signify the importance of this updated guidance, five SEC commissioners issued the guidance. The new guidance does not change any of the existing SEC rules, but it does address two new topics.
]]>Wed, 28 Feb 2018 20:37:36 GMT8374b169-c5bf-435c-967a-67f5aa94b6c3In December 2016, NIST released Special Publication 800-171, Revision 1: Protecting Controlled Unclassified Information in Nonfederal Systems. Since that publication, I have worked with dozens of government contractors to help them understand this publication and determine if and how it applies to their businesses. This is the first of a three-part series that explains the standard and provides guidance to firms that must comply with it.
]]>Tue, 27 Feb 2018 20:29:03 GMT645f493d-8a8b-41ef-90a6-1ee5b285813eIf you’re familiar with the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF), then you’re likely aware that HITRUST revises the CSF requirements twice annually to account for new regulations, technologies, and business models affecting the security of Protected Health Information (PHI). This enables the HITRUST CSF to evolve in step with the changing cyber risk landscape. HITRUST CSF version 9 is currently in effect, but HITRUST will release version 9.1 later this month.
]]>Wed, 21 Feb 2018 23:39:15 GMT563776fd-47ab-41d5-b910-a28cf84faf602017 could be considered one of the most exciting (or horrifying) years in the technology industry. End-of-year statistics showed that the number of reported breaches in the business sector saw a 21% increase over the previous year, and headlines from all major news outlets were riddled with reports of hacks, data leaks, and high-profile vulnerabilities.
]]>Thu, 15 Feb 2018 20:34:10 GMT39003856-4c81-460c-b22c-f8301088845cThe need to automate the creation of disposable red-team infrastructure is key to providing effective adversary simulations. As Coalfire Labs continued to grow, our team needed a system to quickly configure and spin up C2 and/or phishing infrastructure, run multiple campaigns at the same time, and recreate infrastructure if some parts got detected and/or blacklisted.
]]>Tue, 06 Feb 2018 19:42:43 GMT4adbd3c4-b09c-499a-bb1b-75a0d1c0fb7dThe University of Michigan’s Archimedes Center for Medical Device Security hosted its second annual MDS 101 conference in Orlando this month. The conference provides a secure forum for attendees to speak freely about cybersecurity issues with respected professionals who can help establish best practices for improving medical device security.
]]>Fri, 26 Jan 2018 19:03:37 GMT216ec9de-3ad4-4a0b-98fe-8621bd4c6c1fIn the past six months, Coalfire has seen an increase in businesses receiving fraudulent emails from legitimate client accounts with fraudulent invoice attachments. In several cases, the recipient paid the invoices not realizing they were fraudulent. The losses have ranged between thousands and hundreds of thousands of dollars. When the business investigated, they found that the mailbox associated with the sender’s account did not contain the sent emails. Moreover, the authorized user claims they never sent the email.
]]>Tue, 16 Jan 2018 18:11:32 GMT1011844f-9a5c-4ac2-a605-e7d18e48806fThe news is rife with emerging details of Intel and other chip vulnerabilities and the hardware bugs that can potentially exploit them. While details are still developing and will likely continue to be uncovered in the days, weeks, and even months ahead, we will explore what is known to date.
]]>Fri, 05 Jan 2018 21:18:34 GMTc33bf68d-3d8a-4421-baca-866201ba2852Security professionals from healthcare delivery organizations (HDOs), medical device manufacturers, and pharmaceutical companies gathered in Scottsdale, Arizona for the NH-ISAC Cyber Rodeo Summit last month. The big topics were how to share more threat intelligence, while at the same time ensuring the highest level of patient care and safety.
]]>Tue, 02 Jan 2018 22:41:16 GMT37e3402e-cba5-455b-8bad-afe762400689The IoT Security Summit 2017 in New York City in late October and the Security of Things World USA 2017 in San Diego last month were both packed with thought leaders from all parts of the IoT ecosystem – device manufacturers, telecom carriers, cloud providers, and early-adopter end users from vertical industries. They came, they saw, and they tried to conquer the many security challenges faced by organizations when implementing IoT initiatives . . . but came away with many unanswered questions.
]]>Tue, 19 Dec 2017 20:25:56 GMT0b6630a8-f575-4ff5-906c-1ed42d9ea151Mon, 18 Dec 2017 21:23:48 GMTc4443382-fcad-42d3-bec7-587971aed2e9The recent news regarding the Uber breach has captured the attention of both the public and legislators. It seems that Uber’s security team discovered a breach, paid a ransom, and didn’t report the matter to company leaders, law enforcement, personnel, or customers.
]]>Fri, 15 Dec 2017 00:00:20 GMT484125e5-ff1c-4d80-b79a-b11e3b416f2aIf you are in the IT space, you’ve most likely encountered or are bound by some form of regulation/framework such as PCI, HIPAA, FISMA, and/or CGIS. Most of these compliance programs require a hardened baseline to be implemented within your information systems to reduce the risk and impact of an adverse security event. In this post, we’ll take a brief look at building a hardened baseline, examine some tools to assist in a phased approach to deployment, and discuss some common issues that may arise from deploying a system hardening regime.
]]>Mon, 11 Dec 2017 16:17:33 GMTef3b0a1b-716f-4f97-838f-5751b7fb2ab8November 28th at the Venetian in Las Vegas, AWS re:INVENT held an important session that could shape the future of technology. The sold-out session, SHE POWERS TECH: Women Supporting Women in Tech, filled a ballroom with 500 women in technology and a few men who were interested in the topic. The impressive line-up of speakers included women in a wide variety of technological fields spanning automotive engineering to technology in fashion.
]]>Fri, 01 Dec 2017 17:16:17 GMTbddeac6e-21bb-49b8-ba79-45115731fa46Whether you need to upgrade your firewalls on-premise or in the cloud, next-generation firewalls (NGFWs) can significantly reduce the risks associated with the modern threat landscape. Since attacks have evolved using techniques such as encryption, polymorphism, etc., firewalls have also evolved to protect against some of the most sophisticated attacks. Whether they are deployed as physical appliances or virtual machines, these firewalls are not only “application aware,” but they have become complete threat intelligence managers guarding you against known and zero-day threats.
]]>Thu, 16 Nov 2017 03:48:51 GMT1af32a2b-f5b4-45e0-8e43-f7639a9c42e9In September, Hurricane Irma forced the PCI SSC to cancel the North America Community Meeting; and the uncertainty of Catalonian independence from Spain may have led some to stay home from the Europe Community Meeting held in Barcelona last week. Nevertheless, the Coalfire team was well-represented in Barcelona. Because there were so many valuable updates, we offer this summary to keep you informed of these important developments in the world of PCI.
]]>Mon, 06 Nov 2017 23:09:33 GMT2baefe63-cd63-4252-8ee0-0c3db5faa1b9 Manager of Capital One’s Fraud Analysis team, and Jennifer Smith, who led the Cybersecurity and Data Privacy group at the Shulman, Rogers, Gandal, Pordy & Ecker law firm, to round out a diverse group from various parts of the industry. Each of us deal with fraud daily, but we have very different roles: Jennifer on the litigation side, Gerald from inside a bank, and myself from the technical perspective.]]>Thu, 26 Oct 2017 00:33:46 GMTd478cfa1-f997-4190-8fb1-b4434a7f0359Splunk is an extremely versatile tool when dealing with data:

- Monitor files? Check!

- Listen in on an open port? Check!

- Monitor the file system? Performance monitor? HTTP Event Collector?

- Check, check aaaaand check!

But what if the data you want to ingest does not have a method listed above? Say, something like a database or a security tool’s API? Scripted inputs are the solution! Splunk can even employ a variety of scripts to include (but not limited to) PowerShell, shell scripts, and Python. Besides working around data sources, which do not use log files and cannot send via TCP or UDP, the advantages abound and include:

]]>Thu, 19 Oct 2017 20:32:16 GMTfc1f5af7-4a56-470b-8b4f-ba42f94c2d97Coalfire conducted a webinar, FedRAMP on AWS: What you need to know. The discussion covered what cloud service providers need to know when pursuing FedRAMP authorization leveraging AWS U.S East/West or GovCloud. Below you’ll find the Top 10 things that cloud service providers should know.
]]>Wed, 18 Oct 2017 23:03:10 GMT57d29d4a-8fec-4989-95e0-0b8a67d7bc28For some organizations, understanding, navigating, and complying with the Payment Card Industry (PCI) Data Security Standard (DSS), especially after the release of the latest version (v3.2) released in April 2016, has become confusing and/or challenging because of the inclusion of phased-in applicability of requirements. The most common questions that Coalfire receives from clients are regarding requirement 11.3.4.1
]]>Fri, 13 Oct 2017 21:36:32 GMTe6505132-3e61-4aa5-8a8f-89738cd45aa5By now, most of us have heard of Bitcoin. Few of us really know the specifics about what that is. Fewer still have a workable (or even cursory) knowledge of the underlying technology that makes Bitcoin possible.
]]>Fri, 06 Oct 2017 14:58:40 GMTc7e3076c-8259-4944-b9b4-9c1391d9e374New Vulnerability Found Using Techniques Taught at Black Hat USA

One of the topics I teach in Coalfire's Adaptive Penetration Testing course, given most recently at Black Hat 2017, is manual privilege escalation on Linux- and Unix-based systems. I also talk about how common it is to gain an initial foothold in an environment by leveraging default or easily guessable login credentials. During a recent red team engagement, I leveraged both of these techniques – not only to fully compromise the organization's Active Directory environment, but also to discover and exploit a previously unknown vulnerability in the Replibit Linux distribution installed on a server on their network.

]]>Thu, 05 Oct 2017 18:13:54 GMT04ed4b4b-d8b1-4b3f-a203-baa128bd9030(Part Three of a Three Part Series)

As the narrative on the Equifax compromise evolves, the general public, politicians, and speculators continue to seek blame for what happened. Was it an unpatched vulnerability? Was Equifax not following proper configuration management? Was management derelict in their duties? At this point, the damage of leaking records including the personally identifiable information (PII) of 143 million people is done. However, it might be a good to look at what could have been done differently to reduce impact to the organization.

]]>Mon, 02 Oct 2017 18:26:01 GMT8ecf7469-0488-4319-aedc-f395c6637c96(Part Two of a Three Part Series)

Since Equifax’s September 15th statement about their well-publicized, broadly discussed major security incident, Coalfire has fielded multiple inquiries from clients who are wondering if such an incident could happen to them, and if there is anything that they can do to better protect and prepare themselves. While every situation is different, one thing is clear: cyber risk management ought to be a top priority for every enterprise, and that priority should be established and enforced through cybersecurity governance.

]]>Wed, 27 Sep 2017 21:09:00 GMT72644036-89e3-4898-a433-4ec89b83037a(Part One of a Three Part Series)

Unless you have been out of the country or otherwise shunning the news, you have likely heard that on September 7th and again on September 15th, Equifax reported that it suffered a security incident from May 13th through July 30th, 2017. This breach is broad reaching in its individual exposure and potential future impacts, having potentially exposed the personally identifiable information (PII) of roughly 143 million U.S. consumers, including names, Social Security numbers, birth dates and, in some instances, drivers’ license numbers. The company also reported losses related to consumer credit card data, PII on dispute documents and limited PII for certain U.K. and Canadian residents.

]]>Tue, 19 Sep 2017 17:28:45 GMT0aea83e5-7ba2-41c0-9fbc-736fdd89ce92Here is what we know right now: Security company Armis recently released research identifying eight newly discovered vulnerabilities that exist in the wireless communications protocol Bluetooth, which could potentially affect a large percentage of the estimated 8.2 billion Bluetooth enabled devices, including laptops, mobile phones, and other IoT devices.
]]>Tue, 12 Sep 2017 04:19:50 GMTd9c59c60-b3be-4d48-9f62-8de21bf2ff8bWhile securing the organizational environment, it’s easy to focus on the enterprise assets without thinking as much about the vendor ecosystem. However, that extended ecosystem and how it interacts with the organization is a potential significant risk if not secured properly.
]]>Tue, 05 Sep 2017 23:15:26 GMT78c030d1-8ad9-4fe6-90ea-6f2998524f7dWorking on digital forensics can sometimes create some challenging situations. Recently, we received a couple of Microsoft Surface Pro tablets to image and analyze. Having conducted forensics for a while, I realized that, depending on the version, imaging this tablet could be a challenge. Some setbacks normally associated with Surface tablets include not being able to remove the hard drive, the inability to place the device in target mode, and the hardware being very finicky about what OS can and cannot boot. Ultimately, the challenge comes down to having to use the tablet itself to perform the image, and the only option for input is a single USB port.
]]>Tue, 29 Aug 2017 19:07:39 GMT93952fe8-ede2-401a-a724-6f2a78c2380eThe FedRAMP Business Case for being considered for this cycle of the Joint Authorization Board (JAB) has been pushed out to August 31 at 5:00pm eastern. The additional time is to accommodate the large number of requests to document demand verification. Earlier the JAB has stated that federal demand across the U.S. government is the primary selection criteria for cloud service providers to be selected. This demand can be shown in current customers, on premise customers interested in a cloud offering, and potential customers documented through RFI/RFPs.
]]>Tue, 22 Aug 2017 21:01:24 GMT18fd2d9f-5749-4400-976f-dd1a901e9dc9What makes a penetration tester highly successful? Most obviously, the technical skills to hack into a network, application, or location comes to mind first, and without those capabilities and the ability to continuously learn, an aspiring pen tester has a tough road ahead of them.
]]>Wed, 16 Aug 2017 17:46:03 GMT61c1fb29-6468-480d-8144-a701a017e3acSOC 2 reports are an important tool service providers use to give their customers assurances about their service’s security, compliance, privacy, availability, confidentiality and processing integrity by providing details about the service and the related controls that are in place. SOC 2 examinations are conducted by independent CPA firms such as Coalfire Controls, LLC and other credible firms. Periodically, the American Institute of CPAs (AICPA) reviews the standardized criteria used in a SOC 2 examination and makes updates to keep the process relevant and assure it is providing stringent measures for customer organizations’ peace of mind.
]]>Mon, 07 Aug 2017 21:46:44 GMT6efdc1e1-ed50-4c71-85a5-c594d20227aeEvery year, Black Hat is a highly anticipated event in the cybersecurity community—and Black Hat 2017 certainly did not disappoint! It was yet another year of record traffic, bustling with visitors from the security community that want to strengthen their security skills and postures. Organizations in the midst of digital transformations and digital native businesses alike sent security teams to learn about various tools and techniques to increase their knowledge of defense and breach prevention.
]]>Thu, 03 Aug 2017 21:14:02 GMTead55f4a-65aa-4f05-9644-3f7d416f9c0aBlack Hat is just around the corner, and Coalfire is gearing up for the best Adaptive Penetration Testing Training yet! We’ve ‘adapted’ the Adaptive Penetration Test Training course with new instructors, enriched content, and new labs to provide the richest training to date. The revised training now includes exploitation and post-exploitation for Linux as well as an after-hours bonus, Social Engineering “practical” exercises. Demand has been high – we’ve sold out the July 22-23 class, but we’ve got just a few seats left for our July 24-25 class. Save $100 on those last seats if you register before the 21st!
]]>Tue, 18 Jul 2017 22:36:29 GMT079c4f65-8518-41ed-b187-76086356b414I thought my recent experience achieving all five (5) AWS certs might be helpful to others in the community that are looking to do the same. However, this blog isn’t meant to stand on its own, and I encourage everyone interested in going for all 5 certs to read other blogs posts too.
]]>Wed, 12 Jul 2017 17:49:43 GMT98481fde-a051-4326-8292-f40fa5b12ae1Just when we thought there were no more tears left in the wake of WannaCry, it’s time to pull out the tissues yet again for the latest global cyber incident: introducing “NotPetya,” the most recent ransomware variant to creep across continents and affect companies across many industries. Please read on for helpful information on how to prevent a NotPetya attack, as well as minimize propagation across the network.
]]>Tue, 27 Jun 2017 23:16:28 GMTfa384800-0e7a-4d08-8ab0-4c770f9edbc9Are your phishing tests worth the money you are spending on them?

Please don't misinterpret that as suggesting you shouldn't be testing your users. To the contrary, I think you should be testing all your users (executives of all ranks included) on a regular basis. What I mean by that question is; are you really "testing" your users, or are you merely spot quizzing them?

]]>Tue, 27 Jun 2017 18:43:37 GMT76ad3230-d688-4185-93c7-0d119ad4a002Coalfire recently returned from the Amazon Web Services (AWS) Public Sector Summit, held in Washington, D.C., which addresses some of the most pressing issues today’s leaders face around security, governance and compliance, and more. While Coalfire has attended the show in the past, we were especially amazed at how strong of a conference this year was. The crowd totaled more than 10,000 attendees – up from 50 at the first Public Sector Summit only eight years ago. This year’s theme was “Super Heroes” and centered on how AWS provides its customers with “Superpowers” such as Speed, Power, Scalability, Durability, Strength and Truth.
]]>Fri, 16 Jun 2017 23:11:39 GMT168da1b4-3f0b-4437-8b9d-a54cd0eed156The selection of a PCI-listed P2PE solution and determination of expected benefits can be challenging for even the most sophisticated merchants. The introduction of the NESA program can make decisions more difficult. To help guide merchants, Coalfire and FreedomPay held a webinar “P2PE & NESA for Merchants: How PCI P2PE and NESA Can Reduce Your Compliance Burden and Risk”.
]]>Mon, 05 Jun 2017 18:35:41 GMTf27a14b1-37e8-4eeb-a6b6-2e8cd618f780Security analytics tools available to companies are increasing rapidly. However, cyber incident and vulnerability prevention, detection, response, and recovery times remain significant challenges as the types of attacks and attack vectors increase. Newer cyber analytics using machine learning are of primary interest because rule-based or signature-based prevention tools struggle to detect or stop advanced cybersecurity threats. CIOs and CISOs find that they often need to integrate or “orchestrate” existing cyber analytical tools, processes, and data into repeatable, automated workflows to fully support solid security operations activities. Concurrently, architectural challenges flourish as cloud services, mobile usage and IoT devices rapidly generate increasing amounts of data, new systems endpoints, and network traffic flows.
]]>Wed, 31 May 2017 21:03:38 GMT8fc75056-dc1a-4e74-8508-c52a9870551aRansomware is on the rise and clients seeking to understand the process can learn from this client’s story about being a victim of ransomware as to what can be expected and how to handle a ransomware attack. Recently a company facing a malware infection approached us to help them deal with the encryption of most of their servers across their domain. This also included systems that held online backups - and there was no offline backup solution (that’s a topic for a whole different blog post). The company had discovered a ransom note on their affected systems, along with data files that had been deleted and new files created in the format of <original_filename>.whereisyourfile that appeared to be encrypted.
]]>Thu, 25 May 2017 17:12:34 GMT4bc3f50a-4827-4d44-885d-462dd28fa545On May 11, 2017, President Trump released the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. This E.O. -- while stand alone in focus --should be seen in the context of a greater move in the Executive Branch to elevate the awareness and preparation for better cybersecurity across government. This is evidenced by the complimentary cyber actions in the Presidential Executive Orders creating the Office of American Innovation and the American Technology Council calling for IT modernization and customer service excellence as well as the The Office of Management and Budget (OMB) Director’s Memo 17-22 outlining reform calling for a smaller, more accountable and more efficient federal government. The issuance of these directives does not in-of-itself “solve” the government’s modernization, cyber, and performance problems; rather, collectively they denote a priority in the new administration for cyber and a recognition of the need for a coordinated approach across government and with the commercial sector.
]]>Fri, 19 May 2017 18:06:01 GMTf280bb0e-e024-4abc-8edd-185e66b0fff0Coalfire continues to closely monitor the WannaCry ransomware attack. Much has been written over the past few days about the attack. For those of you who may not have had time to review in detail and assess appropriate actions for your organization, we wanted to provide summary information.
]]>Mon, 15 May 2017 21:59:35 GMT7822c7d0-6e8c-46e1-8602-4661b6a8fe7eCoalfire’s SOC Practice Directors Dixon Wright and Jeff Cook recently conducted a webinar on AWS and SOC Reporting, What you need to know. The presentation provided a lot of good points that organizations should know or be prepared for regardless of the technology that is being used. Below you will find a transcript of the Q&A session from the webinar.
]]>Tue, 09 May 2017 20:43:42 GMT761155f2-3ad0-49b8-ad99-bc2bbd0dd3caCoalfire released the results of its first annual FedRAMP Marketplace report – Securing Your Cloud Solutions: Research and Analysis on meeting FedRAMP and Government Standards. The findings highlight many positives for cloud service providers and federal agencies, but also opportunities for both to improve. The report examined more than 500 FedRAMP assessment and advisory engagements that Coalfire conducted, analysis of FedRAMP.gov authorized and in-process csp listings and interviews with information security executives with FedRAMP experience.
]]>Tue, 02 May 2017 21:24:27 GMT72817be5-5813-4f30-a686-282e855030c9Recently, I was speaking with a CISO friend of mine and he mentioned that his company suffered a breach. I asked if it was a ransomware attack, and sadly, that was the case. Malware had infected nearly every connected computer. Clearly there was a breakdown in protective controls, but I’ll get to that in another post. Digging deeper, I inquired if the amount was under $2,000. Another “yes”. Reported to the FBI….” yes” again!
]]>Mon, 17 Apr 2017 22:41:36 GMT87f77683-07da-411a-a0ee-1fb138f94e94How Coalfire is Helping Increase Access to PCI-listed P2PE Solutions - Use of a PCI-listed P2PE solution offers significant security and compliance benefits. However, merchants and service providers are still challenged to take full advantage of this opportunity. Coalfire has invested in solving the most significant obstacle to adoption of listed P2PE solutions.
]]>Thu, 13 Apr 2017 21:09:23 GMT9f7de245-882b-42e3-956b-f9c179c5813fPhew, the title of this post alone sounds like it could be quite a lot to deal with!

So what is DevOps? DevOps is simply the blending of infrastructure operations processes and software development to enable faster changes to business applications/technology. These processes share a lot of ideology with the Agile & Lean camps but are more fundamentally trying to bridge the traditional divide between the development world and the IT operations/Service management teams.

]]>Tue, 21 Mar 2017 16:18:18 GMTb85b1044-70c3-4a24-a29c-eb1e972a16a9On February 16, the FedRAMP Project Management Office (PMO) released the new FedRAMP Tailored security controls baseline for public comment (comment period closes March 17, 2017). The new FedRAMP Tailored security controls baseline was createdfor Cloud Service Providers (CSPs) who have cloud service offerings (CSO) that do not require the more stringent process of FedRAMP Moderate or FedRAMP High security control baselines.
]]>Wed, 08 Mar 2017 10:25:52 GMT02255285-5fba-44cc-8aa9-77a1cb65b720On March 1st, 2017, sweeping new cybersecurity requirements were placed on organizations regulated by the New York State Department of Financial Services. The law applies to a broad set of ‘covered entities’ that are supervised by the NYDFS, including banks, trusts, budget planners, check cashers, credit unions, money transmitters, licensed lenders, mortgage brokers or bankers, and insurance companies that do business in New York. While large entities most likely meet these requirements already -- and very small entities are exempted from some of the requirements --, mid-market firms will be challenged to meet aggressive implementation timelines.
]]>Thu, 02 Mar 2017 05:21:34 GMT28f8a8fd-50fa-4ce6-bac4-535d28121980The cloud can burst!? This week’s AWS service disruption showed us the importance of architecting a system to account for failure, and how to be successful when deploying your solution in the cloud.
]]>Wed, 01 Mar 2017 14:21:35 GMTeea24be5-f261-4d26-bbc4-00d22370cdc8Over five days, 45,000 consumers and thought leaders convened at the 2017 RSA Conference, sharing insights on how to stay ahead of today’s – and tomorrow’s – cyber threats. Coalfire was in the thick of it, and here we’ve compiled some of the most important takeaways.
]]>Thu, 23 Feb 2017 09:42:56 GMTc0d775aa-21d7-46dd-86ad-3c8b4f8cb523The AICPA Auditing Standards Board (ASB) announces new changes for SOC reporting under SSAE No. 18 in April 2016. A description of the changes and what it means for service organizations is below.

The AICPA’s attestation standards contain the requirements and application guidance for performing and reporting on examination, review, and agreed-upon procedures engagements. Since Service Organization Controls (SOC) reports are classified as “examinations”, the attestation standards apply to these engagements.

]]>Wed, 15 Feb 2017 21:03:40 GMT95cc9f63-d95a-489f-8071-1056772f58ceIn the compliance realm, the term “quarterly” seems to be a sound and straight-forward term used to provide guidance and to aid entities in adhering to requirements. However, it’s meaning can vary based on its context in relation to dealing with various compliance requirements from your ASV and QSA. Here are some guidelines around what you can do to prevent getting snagged in the potential mire of abiding by quarterly scanning requirements.
]]>Thu, 02 Feb 2017 19:42:14 GMT514d2656-90f1-4290-8784-073a4dddc1c6As part of the FedRAMP Accelerated process, cloud service providers (CSPs) can now complete a Readiness Assessment Report (RAR) to demonstrate their readiness for the FedRAMP process. The RAR is required for CSPs pursuing the FedRAMP JAB approval route. CSPs should also consider having a Readiness Assessment if they are pursuing the Agency approval route, where the RAR is not required, in order to provide assurances of the security posture for their solution.
]]>Thu, 02 Feb 2017 10:49:43 GMTeec26337-634d-41ff-a052-4f4fd7844c07On Friday, December 6th 2016, the PCI Security Standards Council released their formal information supplement titled, Guidance for PCI DSS Scoping and Network Segmentation. This particular information supplement has been eagerly anticipated in the PCI DSS industry for several years. The document seeks to address some of the numerous, and often extremely varying, interpretations of scoping and segmentation requirements across the QSA population. These scoping choices have immediate impact on near-term costs and attainment of compliance, but ultimately they significantly impact a company’s security posture. How does this affect Coalfire customers? The impact should be fairly limited if you have worked with Coalfire and accepted our recommendations to align with the information that we had from our involvement in the PCI Community.
]]>Fri, 30 Dec 2016 13:30:27 GMT62fdc625-e106-4837-a3ba-d3c9aa81b8f2How valuable would it be to be able to read another person’s mind? To know what they’re thinking or planning to do would be invaluable. Or, how valuable would it be to know what they have done in the recent past, especially if you believed they were involved in some criminal activity? Who they were talking to, or what they said. If you could recreate the events and determine the timeline of activity, information like this could help you in solving plenty of mysteries.
]]>Wed, 28 Dec 2016 13:20:05 GMT970f0820-7e75-4472-af96-90aa286ef597Recently Bloomberg Government published an article that describes the increasing awareness of the Federal Risk and Authorization Management Program (FedRAMP) as a major factor affecting the federal marketspace. The article indirectly indicates a major first-mover advantage, as there are “only 77 products” available to fulfill over two hundred Bloomberg-identified FedRAMP opportunities.
]]>Wed, 14 Dec 2016 13:13:04 GMT8cbb5cc6-531c-45e6-88aa-9914beffa92aWhile PCI P2PE is still the most secure approach, solution providers, who are not yet validated, can now offer additional clarity to merchants, QSAs, and acquirers
]]>Tue, 06 Dec 2016 10:01:36 GMT03183eb0-41a3-4bac-baeb-b46594597652In July of this year Verizon announced it was going to buy Yahoo for $4.8B. A few weeks later, Yahoo starts investigating a potential data breach of around 200 million records that were for sale on the Dark Web. In mid-September, Yahoo discloses that sometime in 2014, they were attacked and roughly 500 million user accounts were compromised. A couple of days later, Verizon says this is the first they’ve heard of this and that event may have a “material impact” on the purchase deal. By October news reports circulate that Verizon may ask for a $1B discount off the purchase price.
]]>Fri, 11 Nov 2016 14:45:52 GMT55a9b719-b3ea-4da6-810c-899e6b9f9617Everybody knows that the cost of a breach is high. Given the fact that the chance of a data breach for all merchants is nearly 1-in-4, it’s important to not only have PCI compliance in place, but also the right solutions to optimize your compliance spend.
]]>Fri, 11 Nov 2016 12:55:00 GMTb542a968-3bcd-4239-b1da-2f6170f0de2eThe Federal Risk and Authorization Management Program (FedRAMP) plans to continue to build on 2016 successes by planning for an ambitious 2017 according to a series of blog posts released by the General Services Administration (GSA).
]]>Thu, 10 Nov 2016 09:12:33 GMT88105610-287e-418f-81ca-07a38a0e54c7
It was a dark night. A car pulled up in the parking space next to me and quickly extinguished his lights. I looked out the my window and saw the driver. He gave me a quick nod and we exited our cars. Opening the trunk I pulled out my tools for the night. A backpack full of trash bags, a flash light, gloves, a tarp and oily rags taken from the garage. We walked in the warm summer air up a hill and to the street corner where the target was finally in view. There was the bank. Tonight was just recon, getting a lay of the land and some dumpster diving. We approached the bank and made a quick walk around the block identifying windows, entries and exits and connecting the dots of what I found on Google Maps. By the cover of trees we started down an embankment towards the dumpster, but we spotted a police car. Trying not to cause any suspicion, we quickly made our way back to the sidewalk and walked away from the bank. My heart was racing. I didn't want to fail even before we started.
]]>Thu, 27 Oct 2016 10:04:12 GMTedd0602d-e58a-4a77-be0f-86e525e470b4
My initial thought was it has to be the firewall keeping my reverse shell from getting out of their environment. So, leveraging the command execution vulnerability, I started testing outbound internet access from the vulnerable server to my server on the internet, only to find that the port I had been using all along in the initial Metasploit attempt was allowed out. This left me with a sense of disappointed optimism because the firewall isn’t blocking it, but for some reason it isn’t working. “Maybe it’s getting caught by Anti-Virus”, I thought. I used the command execution to generate and execute an FTP script that would download a payload from my server. The logs on my server showed an active download from the target companies network. “.. Excellent..”, I mischievously muttered to myself in my best Mr. Burns impression.
]]>Thu, 27 Oct 2016 09:27:40 GMT7fdb40cd-f4b7-46cb-b6b1-fc687a2b450b
Our partner, Chertoff Group issued the following advisory. Client Advisory: October 21 distributed denial of service (DDoS) attack. A major distributed denial of service (DDoS) attack recently (10/21/16) disrupted Internet communications throughout parts of the United States in several waves, and there is growing concern over a number of increasingly disruptive DDoS events that have occurred over the past several months. While facts are still unfolding, the Chertoff Group offers the following situational awareness on recent events and selected mitigation measures to consider.
]]>Tue, 25 Oct 2016 08:18:06 GMT67f24130-0cad-4b60-9cb9-02b4e6c67d75
The FBI provided guidance on ransomware at a recent FBI/US Secret Service/ISAC event. They defined ransomware as a type of malware that is commonly transmitted through malicious email, which is disguised to look normal. Once the email link has been clicked on, or an email attachment has been opened, the malware installs on the computer. After installation is completed, files on the computer become locked using encryption and cannot be opened without the key. A ransom message is then displayed with information on how to pay the ransom.
]]>Mon, 03 Oct 2016 14:39:41 GMTc9d027f6-7ac7-4338-9f10-070b573f2c6a
FedRAMP.gov recently published a blog titled ‘How Much Does It Cost to Go Through FedRAMP?’ As a FedRAMP Third Party Assessment Organization (3PAO), we wanted to provide additional factors for consideration for organizations that are evaluating or pursuing a FedRAMP authorization.
]]>Thu, 22 Sep 2016 17:34:01 GMT21920596-8b2d-4f43-90e5-e40571dd4b6b
Coalfire has been participating in the American Council for Technology and the Industry Advisory Council (ACT-IAC) Cloud Computing community of interest in order to contribute in developing the new FedRAMP JAB Prioritization process.
]]>Mon, 29 Aug 2016 08:03:03 GMT016e399f-168b-4a40-829e-3598da4a751d
I recently attended “Infosec Week” in Vegas - Black Hat, BSides and DEFCON. BSides is a high point every year. This smaller Con has a plethora of perks which make it a “must attended” and also offers many of the same benefits or advantages or opportunities as Black Hat and DEFCON.
]]>Mon, 22 Aug 2016 13:39:05 GMT715ac2a8-b805-4ebd-bb91-c3252b1d235a
Lots of hacks, lots of people, lots of content, and lots of parties. That basically sums up this year’s BlackHat and Defcon. The two conferences seem to get bigger every year with no sign of slowing down, which emphasizes how cybersecurity is becoming more and more of an issue for everyone: governments, fortune 1000 companies, small businesses and single individuals alike.
]]>Mon, 22 Aug 2016 12:35:56 GMT01f05b75-b3e0-4c77-ab68-23c885f5c89c
The first year I attended, I was lucky enough to identify interesting wireless signals with a distinct sound – that of the POCSAG and FLEX protocols. Decoding these signals revealed party invites to the Telephreak party where I listened to raw, uncensored lightning talks covering topics from car hacking to the fragility the entire West Coast’s power grid, and even met notable figures like Kevin Mitnick. It’s not unheard of for other notorious characters, like John McAfee, to attend events like these and share war stories.
]]>Wed, 17 Aug 2016 14:48:55 GMTe952c203-d499-4ad2-a544-3ecd060ba695
What a week! Hacker summer camp in Vegas was amazing! This was my first time through for all three of the conferences in Vegas – BSidesLV, Black Hat, and Defcon. I’ve been to BSidesLV and Defcon plenty of times, but experiencing all of these back-to-back (-to-back!, with a bit of overlap) gives a unique perspective on each of these and what makes them valuable. On a somewhat unrelated note, it also provided me my own “unique perspective” on exactly how many days I can do in Vegas before being “done”. As it turns out, that number is four. Not the six that I was there for – or the nine that the more hard-core members of our Labs team did! I don’t even want to imagine what nine days would do to me. *shiver*
]]>Wed, 17 Aug 2016 13:20:16 GMTe2ed5e3f-9609-4aa2-9979-9904a74ec51b
Coalfire today announced Sam Pfanstiel has joined the company as the Director of Solution Architecture for Payments. Pfanstiel’s experience spans solution engineering and consulting as well as research and development positions.
]]>Wed, 13 Jul 2016 08:23:39 GMT6789cdfa-f446-4c4a-b9e5-1965e2c9d3e2
Coalfire welcomes Robert Flores as the newest addition to the cybersecurity risk management and compliance service leader’s leadership team as its Vice President of Information Technology. Flores has a proven track record of driving strategy for high-growth IT companies while managing billion-dollar global programs and teams across the telecommunications, professional services and SaaS sectors in the United States and abroad.
]]>Wed, 13 Jul 2016 08:15:16 GMT851b273c-424b-4414-8b93-bcbd7e6820ba
If you’re an organization with trans-Atlantic presence that transmits and stores European citizen data (e.g. employee payroll & HR data, client & prospect data) in the U.S. you will want to pay attention. What we will discuss was administered under the European Union’s Data Protection Directive and a previous EU-U.S. agreement called Safe Harbor. We will cover what happened, what’s next, new rules (and penalties) that are set to go into effect and our recommendations.
]]>Fri, 08 Jul 2016 11:28:22 GMT3ee62a7d-c447-4e47-a660-1f68fb83b151
It’s clear from media articles that new CISOs need to make an immediate impact on their organization’s security program in the first 90 days with action items such as “make a quarterly plan for the next year”.
]]>Thu, 30 Jun 2016 10:16:41 GMTc7080652-ea75-43c5-a6db-8731a9a6096c
According to research from PartnerRe and Advisen, the global cyber-insurance market is currently worth $2 billion a year, a number which is expected to double by 2020.With 60% of underwriters and brokers seeing a significant demand in cyber-insurance from customers, there is clearly a great business opportunity for the insurance sector to offer cyber-insurance policies. However, unlike the standard model of developing a policy, cyber-insurance has a number of areas that policy providers need to first consider in order to see success.
]]>Wed, 29 Jun 2016 11:03:35 GMT3aef5b5b-dff6-4f1b-8e99-f1207fc0194a
The Federal Risk and Authorization Management Program (FedRAMP) Project Management Office officially released its High baseline for High impact-level systems. This baseline is at the High/High/High categorization level for confidentiality, integrity, and availability in accordance with FIPS 199; and is mapped to the security controls from the NIST SP 800-53, Rev. 4 catalog of security controls. Previously, the FedRAMP authorization process was only designed for low and moderate impact systems.
]]>Tue, 28 Jun 2016 15:58:50 GMT918fe5ff-5468-4984-974e-8ecebfa84b80
In the next step to help customers adopt their platform for PCI, Amazon Web Services (AWS) has released their PCI DSS Quick Start program. The PCI DSS Quick Start program is the next evolution of cloud providers developing tools for rapid deployment of standardized configurations to drive adoption in heavily regulated industries. The Quick Start program was wholly developed by AWS field teams to help provide guidance on reference architectures, configuration and tools to rapidly deploy the guidance.
]]>Tue, 24 May 2016 13:09:38 GMT009ee891-d8b5-49c7-9908-475ab2df0dcd
Our CEO Larry Jones visited The White House Thursday morning to join with First Lady Michelle Obama and Dr. Biden in the celebration of the Joining Forces initiative’s fifth-year anniversary and announce Coalfire’s pledge to hire and train veterans and military spouses.
]]>Thu, 05 May 2016 15:44:41 GMT9c296dcb-d00d-42e6-9d96-e037ecb1c177
A preview of new requirements and guidance expected later this month from the Payment Card Industry Security Standards Council was announced Thursday. The PCI DSS 3.2 version represents the first update to the standard that the Council has released since 3.1 in April 2015 and 3.0 in November of 2013.
]]>Mon, 04 Apr 2016 17:06:22 GMT3bf4f10a-a5cd-41f5-aa73-c4070c372332
On Dec. 18, 2015, President Obama signed into law an omnibus spending bill that included the Cybersecurity Act of 2015 (“The Act”). The Act was a compromise of cybersecurity information sharing bills that passed the House and Senate earlier in 2015. It creates a voluntary process for sharing cybersecurity information and is intended to encourage public- and private-sector entities to share cyber-threat information. The Act is controversial, as the active sharing of information between and among the Federal Government and private sector entities does not currently occur routinely or effectively.
]]>Tue, 19 Jan 2016 16:06:25 GMT436123ce-cc44-45e6-8e2c-b06dd7f3ab4c
The Payment Card Industry Security Standards Council (PCI SSC) released an update to its vulnerability standards and is giving merchants until June 2018 to migrate their security protocols, even though waiting is not recommended.
]]>Thu, 07 Jan 2016 11:12:05 GMT8c36f49a-df6c-433a-9db3-6940051b0d5f
The lessons learned from this past year teach us that no one is immune to cyber threats. The sooner corporate boards and executives come to understand that cybersecurity breaches are a very real and pervasive threat; then the hard work can begin to take preemptive measures and prepare an appropriate response and recovery strategy.
]]>Thu, 10 Dec 2015 11:35:34 GMT41ae05cc-9930-4e8c-a7d5-b8a9e3acdf96
On June 29, 2015, the Health Information Trust Alliance (HITRUST) announced that several massive payer organizations, including Anthem, Health Care Services Corp., Highmark, Humana, and UnitedHealth Group will require their business associates to obtain CSF certification. While this is old news, HITRUST assembled more than 350 business-associate attendees at the “Health Industry Third Party Assurance Summit: Driving Efficiencies and Compliance through the HITRUST Assurance Program” last Friday as a way for business associates to (1) better understand the reasons for the mandate, (2) understand the journey to CSF certification, (3) interact with CSF Assessor organizations (such as Coalfire), and (4) learn about current initiatives underway at HITRUST.
]]>Thu, 19 Nov 2015 13:19:06 GMT4e224bd0-2dce-4c0e-95b6-06fc0150d6c8
By 8 p.m. the donuts from the previous day had gone stale, what was left of them anyway. There was the eerie feeling of spirits in the night mist tonight. It was late October and the chill was thick with Halloween. You could smell it in the haze. I consider myself quite tough, but when you are a ghost it’s always a little… spooky.
]]>Mon, 26 Oct 2015 11:34:54 GMTb6841631-c750-487d-a8e0-36877daf39d7
I arrived onsite to suite #102 (the bank’s corporate headquarters) around 9:40 a.m. I was impersonating a local utility worker – with all the garments like a hardhat, clipboard, obnoxious yellow vest, and some old Timberland work boots. I played the part well.
]]>Mon, 26 Oct 2015 11:29:16 GMT1df5a01c-cc3f-4d9a-abd8-5c504fa1bc9c
In today's security landscape, companies face daily threats to their reputation and intellectual property. The typical response to these threats is to purchase a tool or a service claiming to be a magical silver bullet that can respond to all "cyber" threats. In reality, the quest for a security silver bullet is a fool's errand, and any solid security program will revolve around continuous evaluation and training against emerging threats.
]]>Mon, 26 Oct 2015 10:37:34 GMTd2507151-a429-4cba-91a2-d1bfb307adf9
European authorities have given the European Union and US officials three months to come up with an alternative to the Safe Harbor agreement after the European Court of Justice (ECJ) declared Safe Harbor laws invalid earlier this month. The new agreement must protect the personal data of European citizens from ‘massive and indiscriminate surveillance conducted by the U.S. government’, the authorities said. These actions were ruled incompatible with EU law in an Oct. 6 decision by the ECJ.
]]>Thu, 22 Oct 2015 09:18:19 GMTf7a0de3d-7ee1-4dd3-a007-c591e3b3986a
In a ruling on October 7, 2015 the European Court of Justice (ECJ) invalidated the principal European component of the U.S.-E.U. Safe Harbor Framework when it ruled in Schrems v. Data Protection Commissioner. In the ruling the court said that the existing U.S.-EU Safe Harbor agreement, overseen by the U.S. Federal Trade Commission (FTC), is flawed in that it allows the U.S. government access to online information related to citizens of the European Union (EU).
]]>Mon, 19 Oct 2015 12:11:35 GMT99ea0cdc-53ae-430c-a15b-ea9942d1903f
Our media forensics practice is a fast growing part of Coalfire. We’re often asked what we can do, and this post is intended to be a quick primer to provide some background if you’re in need of this service and what you can expect from us and others in the field.
]]>Tue, 13 Oct 2015 10:10:20 GMT6918165a-0c9b-44ca-b4f6-d00b88530f8a
Today marks the launch of a new book published by the New York Stock Exchange and Palo Alto Networks called, "Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers." I’m proud to have worked with my predecessor, the late Rick Dakin, to contribute a chapter to this book, which provides boards, executives, and officers at enterprises, government agencies, and other organizations with useful, expert advice on how to best protect their businesses from cyberattacks.
]]>Mon, 12 Oct 2015 12:39:03 GMT901e8aba-f07f-416b-a304-5e61d3a23445
The Payment Card Industry Security Standards Council held their 2015 North American Community Meeting this year in Vancouver, BC, from September 29 – October 1. Coalfire was well represented at the meeting, with Dan Fritsche, Managing Director, Application Security, making two presentations at the event (Point-to-Point Encryption and Securing Virtual Payments). Since I was also there, and I am a guest blogger for the Treasury Institute for Higher Education’s PCI DSS blog, I posted about the PCI DSS trends that I observed at the meeting.
]]>Thu, 08 Oct 2015 15:32:42 GMTc73917bb-65ba-4589-90d0-8c770ff3626b
(2 day Workshop) Saturday 17 October - Sunday 18 October, 9:00 a.m. – 5:00 p.m.
]]>Thu, 01 Oct 2015 17:03:08 GMT0aa7a4aa-67d6-4dcd-88c5-c65c452d223d
Like it or not, today the U.S. finally adopts EMV technology. While the implementation by most major retailers and large U.S. banks is expected to be delayed, the “chip and PIN” card types are coming to America to stay.

The real debate is, will EMV adoption do anything for card data security?

Andrew Barratt, Coalfire’s Managing Director of Europe, explained some lessons learned from the United Kingdom. He sat down with John Rostern, executive vice president, to discuss the EMV liability shift.

]]>Thu, 01 Oct 2015 16:31:23 GMTd3d10a04-559c-40ee-8ef8-2fb32f22fa49
In this blog post, I will be discussing RFP best practices for Higher Education Institutions. Having worked with higher education organizations for a number of years, I’ve noticed some trends that could be useful as you and your department or institution head into another year of projects that may include going out for RFP.
]]>Tue, 29 Sep 2015 10:53:41 GMT6ef46be9-6ac7-4248-a3cb-cf13905385bd
DerbyCon is right around the corner (Sept. 23 - 25) and we wanted to highlight two sessions that Coalfire Labs team members will be presenting.
]]>Tue, 22 Sep 2015 11:52:21 GMT1c9f1d0c-38a0-4adb-ac5e-5eef9158a345
I’m pleased to announce that we recently closed on a significant investment from The Carlyle Group and The Chertoff Group – two prestigious investment groups that both have extensive experience in the cybersecurity space. The selection of these two firms came after an extensive six-month process of choosing from many interested parties.
]]>Wed, 16 Sep 2015 08:57:18 GMT729c3fb6-f497-4139-9f40-eed1862b3b76
It looked like the 8th annual conference may have garnered record-breaking attendance as I noticed hotel staff rushing to add skirted tables and chairs to the back of the room to accommodate a standing-room-only crowd. I guess that was to be expected given the star-studded line-up of presenters including HHS OCR Director Jocelyn Samuels, her brand new Deputy Director, Deven McGraw, and the OCR enforcer, Iliana Peters. We also heard from government officials at the FTC, the ONC, NIST’s NCCoE, and the HHS Preparedness and Response office. The audience responded to each session with a line of people trailing from the microphone set up for Q&A – and with excellent questions, too!
]]>Wed, 09 Sep 2015 12:13:37 GMT552fbe98-fbcc-45b9-a5f6-dadfa2c0f600
Many organizations approach a PCI audit with fear and trepidation. There are a lot of stories out there about how difficult, expensive and disruptive a PCI audit can be, but I want to see if I can add some balance to this view. I believe that when it comes to a PCI auditor it matters a great deal who you are working with. We just completed a PCI audit of our Alliance Key Manager for VMware solution and it gave me a whole new perspective and attitude about the audit process. Our PCI work was conducted by Coalfire, a security company that provides PCI audit services as well as audit services for the health and financial communities. Most of my remarks will reflect on the great experience we had with Coalfire and some of the lessons we learned.
]]>Wed, 22 Jul 2015 14:53:02 GMT4f881daa-9997-4c02-be80-318510f8ac5b
With the release of PCI DSS version 3.0 and more recently 3.1, many Higher Education Institutions have found it hard to know which SAQ’s they should be filling out since there are now nine options. Higher Education Institutions have very complex merchant card environments and with the new requirements it is even harder to recognize what’s in scope. Tyler Baker interviews Dirk Anderson, the Vice President of Enterprise Risk & Compliance Platform at Coalfire, to get a deeper understanding of PCI Scope Assessment.
]]>Mon, 13 Jul 2015 13:50:46 GMT2de03478-d453-46c1-a116-339d0da13762
Last week, the PCI Security Standards Council (PCI SSC) published the updated P2PE v2.0 standard. The Summary of Changes from v1.1 to v2.0, the updated P2PE Glossary and the PIM template are available in the PCI SSC documents library. According to the announcement, the highlights of the new version are...
]]>Fri, 10 Jul 2015 08:42:08 GMT6e695c76-f3a6-4414-bf88-e4e7a84dc010Digital Currency is a thing?

$3 Billion dollars (USD) of money is out there in a digital format, not printed or managed by a government. It has many different product names and each one operates separately. One example of a digital currency is Bitcoin. It is only one of the many digital currencies that are being mined and traded today. The impact that digital currency will have in the world of banking and how we operate with money will be undeniably significant.
]]>Wed, 01 Jul 2015 15:16:24 GMT46a15782-8280-475e-b6f5-eb570a7ade17
The funeral for Rick Dakin will be held on Tuesday, June 30 at 10 a.m. at the Gatehouse (Lionsgate), located at 1055 South 112th Street, (Hwy 287), Lafayette, CO 80026. Arrangements are being made through the Crist Mortuary in Boulder, Colorado. An online memorial page and guestbook will be set up shortly where you may sign in and leave messages for the family.
]]>Thu, 25 Jun 2015 17:26:08 GMTccfb6a03-7a12-488e-8102-7774eb6e1c56
We are deeply saddened to announce that our founder and CEO Rick Dakin passed away suddenly over the weekend.
]]>Mon, 22 Jun 2015 21:57:43 GMT4a552bac-ae7b-46fa-8e1b-42facf0400b5In this blog post we’re going to focus our discussion on the technical requirement part of this standard. The evaluation is supposed to establish the extent to which a covered entity’s (or business associate’s) security policies and procedures meet the requirements of the HIPAA Security Rule. A question is posed: how does an organization evaluate this requirement without performing specific technical testing?
]]>Mon, 22 Jun 2015 18:04:23 GMTbc8c818f-f79a-4e8e-a946-b4ea81e53dba
Point to Point Encryption (P2PE) is the hottest topic in the PCI world right now and many of our Higher Education clients are anxious to take advantage of the solutions available to them. However, with 2.0 not yet released, and then the subsequent release of the audit guidelines, there are many questions on how to benefit from a reduction in applicable controls. This blog post is the result of an interview with Tyler Baker (Regional Sales Manager focused on Higher Education), Mark Lucas (VP over Higher Education Delivery) and Tim Winston (Director over our P2PE practice).
]]>Thu, 04 Jun 2015 15:21:06 GMT36ad28ec-b6fb-42c7-887c-a5d0de094b9e
The comments are in and the HHS is scrambling to review them all before they issue the final Stage 3 Meaningful Use rules later this summer. Comments from entities such as CHIME and HIMSS represent good news and bad news for healthcare providers, depending on how you look at it. The HIPAA Security Rule has always required a risk analysis, but now there could be an annual requirement for risk analyses.
]]>Wed, 03 Jun 2015 16:00:35 GMT4f9ae23a-34c8-4c44-a4f4-7a2fdf3a1e38
As the HITRUST 2015 conference in Grapevine, Texas ended, I was reminded of the numerous predictions that flagged 2015 the year of the [healthcare] breach. And in just the first half of the year we’ve already witnessed three mega breaches that combined to compromise over 90 million patient records. At the HITRUST conference attendees were greeted with a plethora of speakers ranging from payers and providers to service providers and certified practitioners, Coalfire included.
]]>Fri, 29 May 2015 15:26:05 GMT2cf16cff-5565-4c66-8abe-52d5deb673edMon, 18 May 2015 14:51:10 GMTb80de61c-4d1b-43ed-b790-f59738851f1a
Through the end of the year, the New York State Department of Financial Services (NYSDFS, or DFS for short,) expects to [proceed with a number of initiatives to help strengthen cybersecurity at its regulated companies. Among these changes will be integration of regular, targeted assessments of cybersecurity preparedness—for insurance companies, banks, payment processors and more.
]]>Fri, 15 May 2015 15:27:09 GMT96e31ad3-8164-44f3-b050-7ea3fd78960e
Well, it’s not exactly live anymore but it certainly was worth tweeting live from the brand new Cybersecurity Command Center (CCC) at HIMSS 2015 in Chicago a couple weeks ago given all the excitement. The CCC was the place to be at HIMSS this year with standing room only at the educational sessions. HIMSS staff members were busy adding rows of seating to the session area to fit all the attendees who were clamoring for valuable information delivered by numerous speakers from the FBI to the Secret Service to cyber risk subject matter experts.
]]>Thu, 30 Apr 2015 08:16:51 GMT5be4e483-4476-4223-b0a9-4852c8bff92fth at 6:00pm ET on the Security Weekly Podcast. ]]>Tue, 28 Apr 2015 10:44:46 GMTa6c609db-9c13-43b1-81e0-63df97213b0a
Coalfire Controls, LLC (Coalfire) is a registered Certified Public Accounting (CPA) firm registered with the American Institute of Certified Public Accountants (AICPA) and the Colorado State Board of Accountancy, as required to issue Service Organization Control (SOC) attestation reports in accordance with AICPA Statements on Standards for Attestations and Engagements (SSAE). However, Coalfire clients or prospects might wonder why Coalfire is not also registered with the Public Company Accounting Oversight Board (PCAOB). It raises the question: would Coalfire’s clients benefit from the firm’s membership with the PCAOB?
]]>Tue, 28 Apr 2015 08:19:19 GMT12493092-3d8c-4cd7-b95d-af9a66e4cf9e
As expected, a “minor” revision to the PCI DSS 3.0 standard (now version 3.1) was released by the PCI SSC today to address the vulnerabilities exposed by the POODLE and BEAST browser attacks. PCI DSS 3.1 primarily addresses the insecure use of SSL as an encryption protocol within a Cardholder Data Environment (CDE). In response, the SSC has updated PCI DSS requirements 2.2.3, 2.3 and 4.1 to remove any references that cite SSL 3.0 and early versions of TLS 1.0 as examples of strong cryptography.
]]>Wed, 15 Apr 2015 13:16:18 GMTce1d7df1-787c-4014-a6ee-1fec7231c2f3
As April 15 approaches, the “water cooler” talk revolves around all types of topics related to the tax season. However, due to the overwhelming number of security breaches reported this past year, several individuals are finding that fraudulent tax filings were created with voluntarily provided personal information. You are able to prevent this.
]]>Tue, 14 Apr 2015 14:30:47 GMTc9fe9c24-8837-406d-b919-f4710d003f8b
In the last five years with the increasing digitalization of health information, healthcare security breaches have increased four-fold with the industry experiencing more breaches than any other in 2013. With a large number of potential targets and the high value of personal medical information on the black market, healthcare organizations will continue to be more appealing targets.
]]>Fri, 20 Mar 2015 14:53:07 GMTea20e68c-dc0c-40be-a878-4486ef9869e1
Every SOC report (whether it is a SOC 1, SOC 2 or SOC 3) should include information about the service organization’s risk assessment process. Risk assessment can take many forms and there is no “one size fits all” format. Risk assessment is intended to be an evolutionary process, designed to meet the specific needs of individual companies.
]]>Fri, 06 Mar 2015 16:02:22 GMT7cc54e69-7224-4ddc-9d88-05e2a6aabb25
One of the most important reference tools that companies use to establish and evaluate their internal controls is the Committee of Sponsoring Organizations' (COSO) Internal Control - Integrated Framework. Initially published in 1992 (the 1992 Framework), the COSO framework has been the most widely used model for internal control for the past 20 years.
]]>Tue, 24 Feb 2015 12:31:41 GMT13b164df-9253-4fbc-a395-31f28a2fc95c
In the wake of the POODLE vulnerability identified by NIST and subsequent attacks, the PCI SSC has announced its intent to release the first revision of the PCI DSS 3.0 and PA-DSS 3.0 standards. The PCI DSS 3.1 and PA-DSS 3.1 standards will indicate that the SSL v3.0 protocol no longer meets the PCI SSC’s definition of “Strong Encryption” and this will have immediate impact to several existing requirements. However, one key point from the announcement should be highlighted:
]]>Thu, 19 Feb 2015 12:46:16 GMT5a18755a-64b3-4629-a6ce-6122cc6976be
2015 will be an exciting year for the payments industry, especially for merchants that now have a number of new payment technologies at their disposal. Emerging payment technologies such as Point-to-Point-Encryption (P2PE), Tokenization, EMV/Chip and Signature and Mobile Payment Acceptance are hitting the market globally and all of them can help reduce the risk of cardholder data compromise as well as potentially impact the compliance posture of merchants that choose to adopt them.
]]>Mon, 09 Feb 2015 11:13:45 GMTcafeea41-1bc1-4d87-8773-94c2fe117f35
Several weeks ago I had the opportunity to speak on a panel at a healthcare conference. In attendance were CIOs, CISOs, VPs of IT, and members of legal counsel. The individuals attending the session represented organizations ranging from small- to medium-sized business associates all the way up to large, multi-networked hospitals defined as covered entities under the Health Insurance Portability and Accountability Act (HIPAA).
]]>Thu, 05 Feb 2015 12:39:00 GMT9776572e-230d-485f-99d0-3eab28363682
Have you noticed how many vendors and software solutions are out there claiming they can make you HIPAA-compliant? Well, at the end of the day that’s simply not possible because only you can make your organization HIPAA-compliant. I came up with a list of “red flags” that I typically see from vendors, contractors and the like.
]]>Thu, 15 Jan 2015 09:15:54 GMT86e9c222-1e91-40b3-bb60-3ffe4b82b019
Coalfire Labs does a lot of Social Engineering testing. Traditional Social Engineering testing involves a mundane process of taking a sample of a population and then attacking those “targets” with some pretext calls or a phishing email in order to obtain credentials. Metrics are recorded and then reported back in some form of a deliverable, usually a report. As an example, in a standard Social Engineering engagement, we had a Pretext Calling campaign that included a target selection of 10 users. We made 10 phone calls and talked three of the targeted people out of their passwords.
]]>Mon, 15 Dec 2014 12:15:46 GMT7dd96b6d-d785-47b9-873e-fd861c4e16c4
As cyber threats and attacks have increased year over year, Coalfire has seen a drastic increased need for support to law firms in cybersecurity cases. Attacks and threats vary so often, many law firms lack the skills required to properly evaluate cyber-attacks involving their clients. As such law firms across the nation are looking to partner with skilled cybersecurity companies to provide expert testimony, litigation consulting, and support related to cases involving cyber-attacks.
]]>Thu, 11 Dec 2014 12:14:34 GMT87f91ee7-4793-4289-8f79-79311140025b
Fueled by cybercrime, cyber warfare, and cyber terrorism, the cost of cybersecurity and risk management will double in 2015. That’s the bad news. The good news is there will be a shift to cyber offense that will begin to stem the tide of cyber threats.
]]>Tue, 09 Dec 2014 11:52:15 GMT1510e13d-2458-4268-b02c-9dc53eea81d5
A year ago, many retail cybersecurity discussions began and ended with PCI compliance. Today, after a gut-wrenching 10 months of data breaches stretching from mom-and-pop shops to category-leading brands, the discussions are broader, the risks are better understood and every link in the customer data chain is coming under newfound scrutiny.
]]>Thu, 20 Nov 2014 13:41:01 GMT72dba01d-949c-4ffb-b68f-28e314332f9e
The time for nervous anticipation for PCI breach response is over …. VISA has issued dramatic PCI Data Security Standard Compliance enforcement guidance for Level 1 and 2 merchants and all Service Providers. Effective January 1st, 2015, noncompliance costs will be applied sooner and will escalate quicker. For many merchants and service providers looking for a reason to improve compliance just got one. The cost for noncompliance will easily hit $250,000 for many small and mid-sized merchants and service providers.
]]>Fri, 31 Oct 2014 14:34:10 GMT39a9cc29-a520-4cd8-98db-c67d7ef82821
Yes... To be honest, although we really do some neat stuff here at Coalfire Labs that can be pretty scary, I’ve got to give a shout out to “reality” for being even scarier than any emulated attack we could possibly develop. The astounding number of data breaches announced this year is just shocking, really. It really felt like there was a new one every month. As it turns out, there was! Even more than that on average, as we’ve had at least 14 of them over a 10 month span.
]]>Thu, 30 Oct 2014 13:00:33 GMTa80a8424-fda0-4583-8b32-4c4ffccd4ce2
One day I went to a client site to perform internal penetration test to emulate the insider threat. This testing was designed to help this client understand the damage a rogue employee or an intruder who gained physical access to the network could do. The site that I was visiting was a storefront and had public WiFi. I told the store staff who I was there to meet, and while I waited for the client to become available I connected to the public WiFi just to have a look.
]]>Wed, 29 Oct 2014 10:44:55 GMTd5e34ff2-09e6-4ddf-989d-dd9fe52dfb70
I recently performed a penetration test that really required no “hacking skills” whatsoever. I was able to obtain domain administrator rights simply by logging into web applications and network hardware using default credentials.
]]>Wed, 29 Oct 2014 10:25:32 GMTaa981ad1-79d9-45aa-b417-c14e59caf80c
It was a typical morning, just like any other for Annie. She arrived at the office just in time to fill her coffee mug and get to her desk to read her email that had been piling up since Friday. After reading through the standard office wide emails she came across one from the help desk.
]]>Wed, 29 Oct 2014 09:56:14 GMTb4e49614-5e00-47cf-a2b3-4e588f1d1e13
Vulnerability Summary: The POODLE vulnerability is due to a bug in SSL protocol, whereas Heartbleed and Shellshock were vulnerability due to a bug in software. Heartbleed and Shellshock were confined to systems that ran vulnerable versions of software, whereas POODLE affects any system running any software that implements SSL 3.0, which is a widely implemented protocol used to provide encrypted network transmissions. This is an “industry-wide” vulnerability. Of Heartbleed and Shellshock, POODLE is most similar to Heartbleed as both Heartbleed and POODLE exploit vulnerabilities having to do with SSL.
]]>Wed, 15 Oct 2014 15:18:55 GMTb7028932-4d0a-4952-9973-d8e8d331a54d
Last week I attended The Chertoff Group’s Security Series on Building Resiliency for Financial Services Sector. They provided insight into what they’re doing to protect their organizations, how they see the industry evolving, and firsthand knowledge about emerging threats.
]]>Mon, 15 Sep 2014 07:43:45 GMTa9d38258-c181-42b7-959c-4fc40a8beb61
The 2014 North American PCI Community Meeting has drawn to a close, but the messages and lessons learned will continue to resonate with me long after I've returned home to Denver. There were two messages from the SSC this week that really struck a chord with me and I wanted to expand on why I think they are important moving forward.
]]>Thu, 11 Sep 2014 18:48:20 GMT821af273-71ca-4e71-adc1-4704ed05cd34
Admiral James Stavridis delivered this morning’s PCI Community Meeting keynote presentation, ‘Sailing the Cyber Sea: The New Realities of 21st Century Security’ to an engaged and near-capacity crowd. Admiral Stavridis, a four-star admiral and former NATO Supreme Allied Commander, touched briefly on PCI compliance but spoke mainly about cybersecurity as a whole.
]]>Wed, 10 Sep 2014 08:40:32 GMT856c1d3d-2a4b-4fdb-9151-4615c10f329e
Day two of the PCI Community Meeting presented an array of security topics ranging from best practices, EMV, security awareness, and more. I had the pleasure of sitting in on a forensics presentation, which leveraged information from a variety of industry leaders and provided valuable insight into cybercriminal organizations.
]]>Wed, 10 Sep 2014 08:25:04 GMT32247976-ad59-4e31-ad7e-433586733bd8Wed, 10 Sep 2014 08:08:38 GMT2105b25f-b698-47b4-815d-9cedc79260f3
Every September, Apple announces exciting new products that promise to change how we interact with not only our devices, but with the world around us. 2014 has been no exception; in San Francisco this morning, Apple announced the iPhone 6, Apple Watch and Apple Pay. Even though I’m excited about the capabilities and features of the iPhone 6 and Apple Watch, I’ll leave those blog posts to the consumer phone experts.
]]>Tue, 09 Sep 2014 17:07:56 GMT74964dfc-f82f-4354-b2dc-f0b11bd12813
In the aftermath of the most damaging retail breach in history, a CEO in the financial industry explained his company’s position on the issue:
]]>Mon, 08 Sep 2014 10:04:46 GMT4cb9b3a2-93b0-48a5-90bf-a33c00436447
A New Cold War – with Many Sides There’s a lot we still don’t know about the FBI’s investigation of the data theft at JP Morgan Chase & Co. Criminal hackers based in Russia were targeting U.S. financial institutions long before Russia annexed Crimea or the West responded with sanctions. Is this truly a state-level act? Is it more than a coincidence that the attacks on our financial institutions follow a series of relatively effective sanctions against Russian financial interests? Or is it just another money-making venture by a Russian hacker network?
]]>Thu, 28 Aug 2014 23:00:09 GMT8274b934-1107-43ae-83bb-c1d23273c0f9
The news this week that hackers from China compromised 4.5 million customer records held by Community Health Systems is just the latest indication that companies are not adequately protecting the information of the consumers they serve.
]]>Fri, 22 Aug 2014 14:59:43 GMTda5155ad-cceb-4de3-9d20-4f4352fcfe8b
There are so many questions regarding those leaked Russian passwords. Is this for real? What sites are on that list? How can you tell if your site’s users are in the “Russian Billion”? Isn’t this just a matter of changing user passwords? Bottom line: As a company with websites that have user accounts, what should you do?
]]>Wed, 20 Aug 2014 16:01:54 GMTc58a0a78-aef4-447c-a860-3c543c43ace7
Reports of new credit card data breaches seem to be in the news daily. Recent high profile breaches within major retailers this year should serve as a wake-up call to the restaurant and hospitality industries. As a result of having high volumes of credit card transactions and decentralized security practices, criminal organizations have put the restaurant and hospitality industry squarely in their sights. The track data used in U.S magnetic-Stripe cards are still among the most valuable commodities on the black market as it allows criminal organizations to clone cards and quickly exploit them for highest possible financial gain.
]]>Tue, 12 Aug 2014 09:06:53 GMT6970494f-a354-49e1-94ea-4abfaf80101f
The “Phony War” is how commentators described the seven-month period of eerie quiet that prevailed in Western Europe between Germany’s 1939 invasion of Poland and its later move into the Benelux countries, when erstwhile allies Britain and France avoided offensive operations and simply waited for the German Army to regroup and come to them.
]]>Thu, 07 Aug 2014 11:30:27 GMT4bcd0150-9b3a-4f3c-9fcf-d1689338d9a3
It’s no secret that the internet has changed the way we do business in nearly every industry. On the other hand, the dangers of limited cyber regulations are quickly becoming a focus for the government due to the frequency and impact of data breaches. It’s becoming apparent that convenience comes at the price of security—the federal government is taking notice.
]]>Wed, 30 Jul 2014 08:47:07 GMT87fa344c-2271-4e88-b7b5-282726506eae
The U.S. Secret Service has issued an advisory to the hospitality industry to be on alert for keyloggers on the computers in the business center. Whether your hotel received this advice or not, this is something that will undoubtedly affect your business in the near future. We’ve put together this brief guide on reacting to the advisory.
]]>Fri, 25 Jul 2014 14:37:14 GMTf4bdf7e9-fdcf-4d4c-828d-578e3b207509
2014 is the year that the US Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) is turning its focus to cybersecurity, a looming threat to any and all companies that utilize the internet. In case you missed my last post, back in March the OCIE hosted a Cybersecurity Roundtable to discuss the importance of protecting consumer data and the security of market systems following a steep increase in breaches by its members.
]]>Thu, 03 Jul 2014 07:55:49 GMT128786ed-0ccb-4f06-bca5-70c15d4b1d24
Last week the HHS Office for Civil Rights (OCR) issued their Annual Report to Congress on Breaches of Unsecured Protected Health Information (PHI) for calendar years 2011 and 2012. This is their second annual report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.
]]>Thu, 26 Jun 2014 10:23:16 GMTc12db773-d816-44d0-bda5-45ba6b9f3e7e
I recently presented to a C-level gathering of retail finance executives about the industry’s changing threat landscape and the emerging threats facing omni-channel sellers. The retail security environment has changed dramatically in the past few years. Not that long ago, retailers mostly worried about protecting payment card information and staying PCI compliant.
]]>Wed, 25 Jun 2014 09:30:34 GMT19bfe9af-7865-47af-8997-6158574e1c55
The first HIMSS Privacy & Security Forum in the western U.S. proved to be a success and was attended by over 300 people including attendees (CEs and BAs), speakers, exhibitors, and partners. We reconnected with several clients and met new friends at our booth, which was located right in the middle of the action. We also co-hosted a dinner with our partner, Voltage Security, and enjoyed catching up with old acquaintances and meeting new ones.
]]>Mon, 23 Jun 2014 14:04:24 GMTeda07527-e4ad-4496-8114-702400d699e1
I spoke recently at TIA’s Network of the Future conference. At the session, which was heavier on vendors than operators, the discussion was very focused on the cloud. Everyone wants to know what’s coming next and if they’re ready for it.
]]>Tue, 17 Jun 2014 14:56:06 GMTc1532a5a-a4ad-48a6-aedc-eeb5ac3e9df8
Last week I presented on risk transfer as a viable risk management option to compliance and security professionals at the Financial Crime Compliance Professionals Conference in London. As mentioned in one of Rick’s earlier blog entries analyzing the Target kill chain, the communication between business professionals in finance and IT is still out of alignment and this was evident again from comments made by the community.
]]>Mon, 16 Jun 2014 17:16:42 GMTc2fea180-fad8-4b81-bbad-154e5c458ee6Wed, 11 Jun 2014 10:08:11 GMTee87e164-118a-4da2-b003-f5f7a3db60d9
After every major cyber breach, security professionals are asked about the lessons we can learn from them. While the technical details of the eBay attack aren’t yet public, we can already learn lessons about from company’s public statements and its communications to its customers.
]]>Mon, 02 Jun 2014 12:45:25 GMTb89b4c12-fa45-434e-b99d-de3b2940aa7b
Across the country, executives and their boards saw the data breaches that occurred at large, well-run retailers and immediately began asking the right questions about their own systems and protections. The challenge for the insurance industry is that the plan for many of these companies seems to be transferring as much risk as possible to insurers, who may not have a full and complete understanding of what they are covering.
]]>Tue, 27 May 2014 15:17:26 GMT7772aa6a-c170-41d2-97c3-1a39109df24c
The FedRAMP PMO sent out a notification that they are holding a FedRAMP Industry Day on June 4, 2014 and an Agency Day on June 10, 2014. Items to discuss include the June 5, 2014 deadline, NIST SP 800-53 rev 4 transitions and the 3PAO privitization progress to name a few. We wanted to republish the notification for those that may not have seen the notification.
]]>Thu, 15 May 2014 17:56:31 GMT7bd9bf0b-6a74-435f-bb21-fdbc14ae8581
Last week, I talked with Wall Street Journal reporter Ben DiPietro about the persistent communications gap between the data center and the board room when it comes to recognizing and tackling security threats: In almost every breach situation after his company completes a forensic analysis, Mr. Dakin said the chief executive or chief financial officer pulls him aside and says if he had better information earlier he would have made smarter and quicker decisions. “They are intimating that their tech teams are just not talking about cyber risk in terms of business impact.”

But when he speaks with the IT people, Mr. Dakin said he gets a different story, “that my boss just doesn’t get it and we are stuck here with outdated tools, outdated systems and we are not prepared to defend ourselves.”
]]>Wed, 07 May 2014 14:38:03 GMT6a2bb92e-4e36-4444-9129-4340a3db5936
In case you missed the most recent National Exam Program Risk Alert, you might want to head over to their website and determine what this may mean for you and your company. Since this may be a topic at your next board meeting, you should be prepared to answer any potential questions. Your board will want to know the status and effectiveness of your cybersecurity because the SEC will now be conducting examinations of more than 50 registered broker-dealers and registered investment advisers.
]]>Thu, 24 Apr 2014 07:56:27 GMTf04bc0de-e711-442f-9eab-f2262881e7b8Tue, 22 Apr 2014 18:05:19 GMT050a7f65-098c-48a1-9b7b-a144d687d5e0
A journalist recently asked me for my top three pressing concerns related to Federal cloud security. Here are a few points I had to offer up.
]]>Thu, 17 Apr 2014 10:51:00 GMT35cc2b85-52f6-429a-9b25-6142909dc835
The widely publicized heartbleed bug (http://heartbleed.com/) may be impacting as many as 500,000 systems across the Internet. Heartbleed is the name of a vulnerability in the OpenSSL program that powers encrypted communication to many of the world's web sites and private networks. Below you will find out who is affected, what the workarounds are and how Coalfire can help.
]]>Thu, 10 Apr 2014 09:00:38 GMTbdd35c71-b52f-4483-ae01-cb537fc94284
On Wednesday, I attended a roundtable discussion the Securities and Exchange Commission held to gather information on cybersecurity trends and potential disclosure requirements for regulated public companies and stock exchanges.
]]>Fri, 04 Apr 2014 15:05:10 GMTf0c082a9-9cc2-4e33-8edf-ad3c1483b1e3
Welcome DIARMF! This has been a long time coming. From DITSCAP to DIACAP and now to DIARMF the Department of Defense approved the transition to a Risk Management Framework (RMF) approach developed by NIST on March 12.

What does this mean for Information Systems and Platform Information Technology that are already authorized or in the authorization process? While there are many details affecting DoD Unified Capabilities, Cryptography Trusted Platform Module and Cybersecurity Reciprocity…the broad instruction is explained below.
]]>Thu, 03 Apr 2014 11:36:51 GMT5d641145-fff5-4092-b439-04f8f12894d6
North Dakota State University administrators confirmed last week that hackers never accessed the personal information of more than 200,000 students, faculty and staff housed on the server they successfully infiltrated. This attack perfectly suits the modern hacker’s MO. They attack open systems wherever they can find them. Just like predators on the African plains, they ignore the strong and well-protected, instead going after the weak and the old. Once one system is compromised, hackers can use it to vector into others, as they did in the recent breach at Target.
]]>Wed, 02 Apr 2014 11:04:42 GMT194f9c2c-3aa1-4b5c-8b63-b4859464869a
This month movie-goers around the world will flock (possibly two-by-two) to see Darren Aronofsky’s ‘Noah’—a silver-screen adaptation of the timeless biblical story, starring Russell Crow and Jennifer Connelly . Whether one interprets the flood narrative literally or figuratively, this fact remains: the time to prepare for disaster is not after the fact but beforehand. This is true whether the calamity is divine or human in origin.
]]>Tue, 01 Apr 2014 11:56:24 GMTba2d1d82-77b2-4d04-9558-3be1f56d39d6
The heat is on! Compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has never been more scrutinized and highly regarded. The push towards compliance has fueled businesses large and small to explore the options and necessary requirements of HIPAA compliance. Specifically, any organization that meets the HIPAA definition of a covered entity or business associate is subject to and under the HIPAA compliance umbrella, regardless of how far removed they are from the point of treatment, and is subject to audit, fines, and penalties in the event of a breach.
]]>Tue, 01 Apr 2014 09:28:13 GMTaa08ebe0-9087-4047-8c57-57f50fccc401
The Payment Card Industry Security Standards Council (PCI SSC) released Data Security Standards (DSS) 3.0 in November 2013 and has just released the related Self-Assessment Questionnaires (SAQ). There are two new SAQs, SAQ A-EP and SAQ B-IP.
]]>Mon, 17 Mar 2014 11:41:20 GMT3dc9902c-fb17-465b-9b8d-a383cd61d7de
As expected, the SSC finally released the new version of the Self-Assessments Questionnaires (SAQs) today on their website. They are available on the PCI SSC’s website here:
]]>Fri, 28 Feb 2014 08:33:20 GMTa333b689-d8a0-465a-8479-9817818d556d
With the spate of cyber attackers on US retailers recently, Coalfire’s European Managing Director, Andrew Barratt considers how the attacks on retailers differ outside the US and what the potential impact of similar attacks is in a world where chip and pin technology is more widely deployed.
]]>Wed, 26 Feb 2014 09:49:29 GMT9eae8bda-79f4-4b57-bbb8-9556b85e5395
Heads up for our PCI customers: the PCI SSC released the “ROC Reporting Template for v3.0” this last weekend and it is available here. This document supports the PCI DSS 3.0 standard and must be used by all QSA organizations to create and submit a Report on Compliance (ROC). What does this mean?
]]>Tue, 11 Feb 2014 09:30:27 GMTa0c00984-25fc-473e-a717-d0a28d6d50eb
When I first heard about the account used to gain access to the Target environment, my first reaction was to laugh at the ridiculousness of the HVAC vendor having an impact on the CDE like it seems to (or is rumored) to have had in the recent breach. Then I started thinking with the PCI controls, including 8.5.6, requirements for revoking vendor access, how could an HVAC vendor account be the culprit for such a broad attack and how could this affect our customers.
]]>Thu, 06 Feb 2014 13:04:17 GMT63b723b3-1ff4-4c50-ba4f-53845867c3ed
There’s been a lot of chatter about PA-DSS 3.0 among several early-adopter application vendors. As of January 1, 2014 it’s permissible to validate against 3.0 in place of a 2.0 validation. Longevity of the 3.0 validation and the desire to be validated first on a new standard seem to be driving the move to 3.0. The expiration date of a 3.0 validation is October 28, 2019 vs. October 28, 2016 for a 2.0 validation.
]]>Mon, 20 Jan 2014 18:11:53 GMTa0d61e25-29a2-4f2f-9055-e326fb9c5d56
Information Week’s Matthew Swartz published an article on the recently- confirmed payment card breaches at Target, Nieman Marcus and three other unnamed retailers. This article and many others reveal that these attacks involve sophisticated malware and some even suggest it is the work of the same gang. To be clear, Coalfire and the Coalfire Labs group that I lead are not involved in these investigations. But we do perform security audits and digital forensics investigations for many retailers. And based on that experience, we can confidently say this: all retailers are targets, and many retailers have already been compromised..
]]>Tue, 14 Jan 2014 12:37:08 GMTd4e22297-8625-4df9-830c-09da561ae7f2
Complying with the PCI DSS requires policies and processes plus implementing and managing a variety of software tools. As a QSA who has performed many PCI assessments for merchants and service providers, I’ve seen and assessed a variety of free and low-cost (under $200) software tools that help our customers comply with PCI DSS.
]]>Thu, 12 Dec 2013 15:15:48 GMT15e52abc-ce0a-4525-9db5-fa66ac48bb43
Every regulated industry includes a requirement for managing third-party risk. Some industries are further along the path and have more mature processes than others. However, there are tried and true methodologies and standards established by those early movers that we can utilize across other regulated industries.
]]>Tue, 10 Dec 2013 13:09:28 GMT70c39e25-15b3-48d7-ad3a-c3d9ee0f697e
Originally released in 2005, the ISO 27001 standard has recently been updated with additional guidelines for assessing risks within information management systems. These changes constitute the first revisions to the standard in eight years and have major implications for organizational compliance. With greater focus on risk ownership and continuous improvement, ISO 27001:2013 will require companies to formulate new risk management processes that incorporate procedures to ensure compliance. According to CSO magazine’s David Braue, these revisions in ISO 27001:2013 address the complex current security environment and incorporate necessary user feedback.
]]>Wed, 27 Nov 2013 12:53:56 GMT3926a441-5340-4001-8e9f-ab2fc3756aa0
Before anyone else conjures up the image of Steve Martin (in the Jerk) running down the street with the new phone book and declaring the obvious to all around him, let’s put this study in perspective. There is nothing new or unexpected in the 2013 study. We have had it confirmed that cybercrime is still a big issue and it costs all of us a lot of time and money to combat a growing list of criminals and terrorists.
]]>Tue, 26 Nov 2013 18:07:24 GMT25c33a9a-81c5-443b-b77d-aef959551ec4
Matt Getzleman – PCI Practice Director, Dan Fritsche – Director, Solution Validation, Andrew Barratt - Managing Director UK, and Brian Pennington – Regional Sales Director, discuss the recent PCI SSC Community Meeting in Nice, France.
]]>Mon, 04 Nov 2013 17:51:37 GMT9c8d5479-80b7-4782-ad90-462a3f1b28a7
A supernatural sequence of automotive portals and applications yield a ghostly in-car phenomenon. READ MORE…IF YOU DARE -
]]>Tue, 29 Oct 2013 11:51:59 GMTe63e0d94-dc7c-497a-a957-abea8cd97c3e
Image manipulation madness causes a near disaster for a popular web site. READ MORE…IF YOU DARE -
]]>Tue, 29 Oct 2013 11:23:47 GMT36418adc-05ef-4253-8142-2a254d897563
An unsuspecting Fortune 100 company allows horrible creatures into their building and systems during a Red Team engagement. READ MORE…IF YOU DARE -
]]>Tue, 29 Oct 2013 11:06:58 GMTf85d158e-bc61-43f9-a286-ae655dfcb44f
Coalfire sent the entire team to the meeting in Las Vegas and everyone reported a positive and engaging experience. We hosted our annual dinner where we caught up with clients and friends – a good time was had by all.
The most valuable technical information was presented during the ‘Assessors Only’ session on Tuesday afternoon. The SSC covered the upcoming changes to the PCI DSS and PA-DSS standards. There was an open Q&A session with excellent insight on the industry’s concerns and the SSC’s intent with many of the proposed changes.
]]>Mon, 21 Oct 2013 14:01:11 GMTd515ff4e-a594-4644-a1dd-067464a6252f
Universities and colleges have been under significant pressure to upgrade their technology both in and out of the classroom. For instance, many organizations turn to mobility as a way to engage students and facilitate learning campus-wide. While much of the discussion is around issues such as the availability of Wi-Fi, there are numerous other things to consider as smartphones and tablets become a part of most technology ecosystems.
]]>Mon, 23 Sep 2013 11:55:27 GMT12517353-ffed-4b6c-ac57-8686f3a00f88Despite a dramatic increase in mobile device sales in the past year, BYOD security among employees remains static. Gartner forecasts 2013 tablet shipments to grow 67.9 percent, with shipments reaching 202 million units, while the mobile phone market will grow 4.3 percent, with volume of more than 1.8 billion units.
]]>Wed, 18 Sep 2013 08:00:20 GMT545fa0a5-352b-44db-900c-ed0e8fd9cc3e
It's easy to think of PCI compliance as just another annual hoop to jump through. Of course, after the annual audit, the business is safe for another 12 months, right? Well, not exactly, and with the upcoming release of PCI DSS 3.0, there will be an even bigger reason to think about compliance beyond the scope of a yearly audit.
]]>Tue, 10 Sep 2013 12:54:58 GMTcaddb84c-7aef-4025-8a0a-32c1036f1ee7
On September 23, 2013, many companies will be required by law to comply with HIPAA…and they don’t even know it. Specifically, the final HIPAA Omnibus Rule pulls all companies under the law if they store, process, or transmit PHI data as part of their business processes. While the Omnibus Rule was drafted in late 2012, Coalfire still sees a lot of confusion among service providers, or business associates.
]]>Wed, 28 Aug 2013 10:00:49 GMT798186e6-f09c-48a8-a8ac-bab1b45d89fa
The standards are coming! The PCI SSC has finally let loose with some much needed information regarding the upcoming releases of the PCI DSS 3.0 and PA DSS 3.0 standards. Available on the PCI SSC website; the document titled “Version 3.0 Change Highlights” contains information on what PCI stakeholders can expect in the upcoming release of the new security standards:
]]>Thu, 15 Aug 2013 12:57:56 GMT4e382f4b-0a3f-4571-a7f4-459c8f2cc771
On May 6, 2013, convenience store operator MAPCO Express, Inc. did a responsible thing – they issued a press release that shared important information about a data security incident that was discovered at their stores. Such notices ---along with a whole lot of behind-the-scenes investigative work – are standard operating procedure when incidents are discovered.
]]>Tue, 13 Aug 2013 13:45:02 GMT37d0b153-29be-4fc6-bb2d-40d818e33c4e
In this series of Compliance Talk, Dirk and Ken are back at their favorite coffee shop, this time joined by Dan Fritsche. Dan is Coalfire’s Director of Solution Validated Services and is considered a thought leader on mobile payments, P2PE and other emerging trends in the payments industry.
]]>Fri, 28 Jun 2013 07:45:35 GMT5f427ba6-9e0f-4726-ac56-628312563efb
The PCI Security Standards Council (SSC) plans on releasing the newest version of the PCI Data Security Standard in October, 2013. Predictably, the PCI SSC has been tight-lipped on divulging details regarding any expected changes.
]]>Mon, 13 May 2013 12:36:43 GMTe64f5177-21cd-4147-ab67-659434c32536
Many companies interested in pursuing FedRAMP are seeking guidelines, checklists and any referenceable source to help them understand and determine their level of preparedness to go through the FedRAMP process. The GSA's FedRAMP.gov site provides documentation on the FedRAMP process in their "Guide to Understanding FedRAMP." In it is a 12-step checklist to help organizations gauge their readiness for FedRAMP.
]]>Mon, 13 May 2013 00:00:00 GMT928a120a-f482-4868-9acc-3e8c86146d87
As the largest IT audit and compliance advisor in the U.S., Coalfire is exposed to a wide variety of compliance concerns. In this series of Compliance Talk blogs, Dirk and Ken are back at their favorite coffee shop…the Bean and Berry in Louisville, Colorado. Over a couple cappuccinos, their discussion turned to some of the unique aspects, when it comes to data security, of debt collection companies.
]]>Mon, 06 May 2013 08:27:33 GMT10c175d7-439c-4793-bdae-d184ada67250
The FedRAMP PMO recently conducted webinars on April 23 and 25 regarding Agencies requirement to report their progress on compliance with FedRAMP. The discussion covered the FedRAMP progress to date, the reporting requirements and process for moving services to FedRAMP authorized cloud service providers. You will find the archived webinars on the Past Events page of FedRAMP.gov when they are available.
]]>Fri, 26 Apr 2013 06:00:00 GMT30c438a9-5583-4478-98cc-8890c6deb344
The PCI SSC and its Cloud Special Interest Group has released its Cloud Computing Guidelines after a year of collaboration and input from SIG members. Coalfire was a big contributor to this document, and we think it is required reading for anyone who has front-line responsibility for managing compliance at companies using a Cloud Service Provider (CSP).
]]>Mon, 22 Apr 2013 09:01:35 GMT389f04e9-dbde-46f8-b3be-b060caefdc67
Your database is perhaps one of the most sensitive targets for cybercriminals as they are your company’s primary repository for confidential and proprietary data. Besides knowing what vulnerabilities exist for your perimeter network and also for your internal systems, best practices require you to manage and protect your databases from unauthorized access, whether intentional or otherwise.
]]>Thu, 04 Apr 2013 11:56:26 GMT5faf1e6e-96af-4eb3-9914-c77531a20dd4
Data classification is one of the most crucial elements of an effective information governance process—yet it’s also one that many companies fail to implement well. In its simplest terms, data classification is the process of categorizing data based on its level of sensitivity. When done properly, the classification of data helps a company determine the most appropriate level of safeguards and controls that need to be in place.
]]>Thu, 21 Mar 2013 14:48:09 GMT2f4a12cc-c66e-480a-bcfe-2416410f3730
Passwords have long been the workhorse of user authentication schemes, and many security experts are speaking out on the need for more effective controls. It seems like hardly a week goes by when we don’t see a password breach in the news.
]]>Thu, 14 Mar 2013 11:58:34 GMT2890702b-a51c-4ed5-b301-665c83f0d6d8
Every January, the trade press if full of new year’s resolution-like advice… things to do in the coming year, even Coalfire made a few predictions for 2013. I work at Coalfire Labs, and since our business is IT security and testing, we want to share some advice on how to avoid your systems and accounts from being breached. While larger companies may feel they can skip some of these steps, and still remain safe, TJX, the parent company of T.J. Maxx and Marshalls learned the hard way the damages a breach can cause. Information from up to tens of millions of credit and debit cards was stolen costing TJX millions of dollars to get the problem under control. With this in mind, here is a list of five issues companies are prone to make, and ways to avoid negative ramifications.
]]>Mon, 11 Mar 2013 12:44:31 GMT33207925-64a3-49b0-b2b4-2a12c69d48eb
Passwords have been the de facto manner of providing security for IT systems. They’ve got a bad reputation, but it’s not the passwords themselves that deserve the reputation – it’s the individuals using them and the weak standards to which these passwords are managed. In fact, a password system implemented in a secure manner – long and complex passwords that change periodically – can be (virtually) uncrackable. However, a typical user isn’t apt to embrace a system that requires 15 characters or more (including numbers, upper and lower case, and special characters) and needs to change every two to four weeks.
]]>Fri, 08 Mar 2013 14:47:29 GMT6a126cbc-2ffa-40cc-8cdd-6e9b1551c29d
On January 22, 2013, the FFIEC put out a press release called “Financial Regulators Propose Guidance on Social Media”. We should begin by saying that even without a social media presence, every company should address social media risks in their annual risk assessment. In this day and age where the average person has a smartphone, laptop, and a tablet, everyone is aware of social media. But what exactly is social media?
]]>Wed, 06 Mar 2013 12:06:43 GMTb01d0b64-9fde-4c14-acc6-c7436b9075ad
The tense standoff between an unresponsive Congress and a reluctant critical infrastructure industry has been broken. On February 13, 2013, the President issued an Executive Order that provides initial guidance for the country to confront escalating cyber threats. Finally, we have someone with the courage to address the ‘elephant in the room’. Our critical infrastructure is under attack and our ability to defend against increasingly sophisticated attacks is simply not adequate.
]]>Thu, 14 Feb 2013 15:23:05 GMTb50a4d6f-2bfe-4c92-8c45-5d1ea9e6694b
In the wake of the recently-released HIPAA Omnibus Rule with its upcoming deadline, healthcare organizations are trying to figure out how they’re going to achieve compliance. We’ve been busy trying to get through the 563-page rule and determine what it means to our clients.
]]>Wed, 06 Feb 2013 14:35:44 GMT256e3d56-8f0d-40e6-a94c-0275f060579f
As of January 17, 2013, the HIPAA Omnibus Rule has finally been released by the Department of Health and Human Services (HHS), which will modify the HIPAA privacy, security, and enforcement rules. The package of regulations, in regard to this long-overdue HIPAA Omnibus Rule, will officially be posted on the Federal Register on January 25, 2013 and will be put into effect on March 26, 2013. Covered entities and business associates will have until September 23, 2013 to comply with the new regulations.
]]>Mon, 21 Jan 2013 14:56:04 GMTadb49d3e-5713-45a7-ae11-c79b376959feWed, 16 Jan 2013 13:19:33 GMT7d51c14f-0b59-4f10-8243-9e2a0d32c3ff
Coalfire recently conducted a survey of South Carolina residents who were victims of the recent data breach at the Department of Revenue. The data breach affected residents of the State who had filed their taxes online exposing 3.8 million taxpayer Social Security numbers and nearly 400,000 credit and debit card numbers.
]]>Tue, 15 Jan 2013 15:44:49 GMT887cd8ea-798a-420a-9365-a5264713f358
The new PCI SAQ P2PE-HW (Point to Point Encryption Self-Assessment Questionnaire) was released in July 2012, and many merchants are excited about the prospect of a shorter, less arduous compliance validation effort. After all, it’s significantly shorter than the SAQ-D; instead 12 sections, there are 4, and 284 controls are reduced to 19.
]]>Tue, 15 Jan 2013 11:25:48 GMTb11cc61a-2f7e-4f2c-847d-2541c85cef72
Greetings from the Javits Center in New York City, the site of the National Retail Federation’s Big Show. This year, the theme of NRF is “Next”.

When it comes to Retail technology – and in particular, security and compliance, the most talked about “next” things are:
]]>Tue, 15 Jan 2013 10:47:59 GMTaecac2ae-b592-4152-99e1-897d99113e1a
Earlier this week the Department of Health and Human Services (HHS) announced the first ever breach settlement where fewer than 500 patient records were compromised. The $50,000 settlement was issued as a result of 441 patient records being stored on an unencrypted laptop that was stolen from the Hospice of North Idaho (HONI).
]]>Tue, 08 Jan 2013 12:15:38 GMT8e256e3c-fa7e-4858-9236-752b50f8c1d5
P2PE promises many things, the most coveted being scope reduction for the merchant and a shifting of the compliance burden from the merchant to the service provider. A properly implemented P2PE solution can indeed reduce the risk of compromise for a merchant as well as reduce the scope of what must be done to continue to maintain compliance to the PCI DSS.
]]>Mon, 07 Jan 2013 12:47:54 GMTf2f7dc87-b0cb-45aa-9079-713a93965efd
The recently announced Dexter malware is targeting POS systems and once in, it collects sensitive credit card data and surreptitiously sends it off to attackers. While the details of this particular attack are not yet available, this is not the first time this general approach has been exploited.
]]>Thu, 20 Dec 2012 21:51:26 GMTaf5c182c-7d4b-446c-91ac-63dfa8b6f32a
On October 25, the FedRAMP PMO conducted its first webinar, in what will be a series of webinars, on the FedRAMP process. This first webinar covered the four methods that CSPs can get listed in the FedRAMP repository.

This webinar is well worth the time to listen to it. The PMO had a lengthy Q&A session, which we have transcribed for your convenience below. The FedRAMP PMO also provides a transcription, but leverages a speech-to-text service which garbled some of the phrases and meanings. Our human reviewed Q&A of that section of the webinar is below.
]]>Tue, 13 Nov 2012 09:18:29 GMTb7dcffc1-57e4-426a-953a-a8ec18c1440c
Some IT security monsters aren't as obvious as a Mummy. At Coalfire Labs, we discover—and help our clients address—some pretty scary security and compliance problems. There are lots of deceptive monsters looking to exploit the weaknesses of their victims. This is one of those terrifying but true stories...
]]>Mon, 29 Oct 2012 14:08:32 GMT2706026c-d6be-4686-bb96-7e5204cb0ee8
At Coalfire Labs, we discover—and help our clients address—some pretty scary security and compliance problems. Everyone’s heard of blood-sucking cyber criminals looking for vulnerable IT systems. Even when organizations have protections in place, these monsters just won’t give up. Their appetite is insatiable...
]]>Mon, 29 Oct 2012 13:56:04 GMT59b38917-27c2-4d4d-9a66-2add32be3eb0
At Coalfire Labs, we discover—and help our clients address—a lot of scary security and compliance problems. Like zombies out looking for a victim, nefarious characters are out to attack your IT infrastructure and compromise your systems. Even when organizations have protections in place, the monsters just won’t give up. They keep coming. Consider this frightening tale...
]]>Mon, 29 Oct 2012 13:45:03 GMT97d444b1-a036-44ad-80f7-001c57bce9e8
You may have noticed this recent article about Google’s contest that rewarded a hacker for discovering a vulnerability in Chrome. Once Google verified the vulnerability, they were able to fix the bug and issue the cash prize to the hacker. This is a very public example similar to what Coalfire Labs does every day - working with security leaders to test their security programs.
]]>Mon, 29 Oct 2012 08:37:12 GMT9fa11dee-629e-4d0d-be5e-016fce540979
Yesterday, we were delighted to see our long-time client Firehost announce that they achieved Common Security Framework (CSF) “Certified” status from the HITRUST Alliance. Headquartered in Richardson, Texas, FireHost has made compliance a top priority, and we’ve enjoyed working with them to achieve this important designation.
]]>Fri, 19 Oct 2012 12:22:29 GMT729df39f-68b0-4ac6-87a6-f647a56038e3
October is Cyber Security Awareness Month: Get Informed and Get Involved on Cyber Legislation. Every October, the National Cyber Security Alliance sponsors National Cyber Security Awareness Month, and a growing number of businesses and institutions are joining the chorus. The White House got in on the act, too, with this Presidential Proclamation.

To celebrate the month, Coalfire will be blogging on topics of interest to our customers and business partners, and we invite you to join the discussion. This first post is an update on cyber legislation.
]]>Thu, 04 Oct 2012 13:45:31 GMT402db6fd-bf6d-45e5-a9f2-832444f75fe3
This year has been a year of firsts for me and for Coalfire. I was recently hired to my first Information security job as a penetration tester for Coalfire Labs, the forensic and app/network testing side of Coalfire. Many of the Coalfire Labs team attended DEFCON in Las Vegas in early August.. Not only was it my first visit to DEFCON as an attendee but this was my first time speaking at a conference. Because it seems to be a year of firsts, we at Coalfire Labs thought it would be a good idea to share a first time speaker’s experience and an attendee’s views on this year’s DEFCON.
]]>Tue, 11 Sep 2012 12:14:31 GMTf3c7f8bb-9596-4b92-b2a6-f37c02782e89Employers are seeing a drastic increase in the number of employees using personal smartphones and tablets in the office. This “Bring Your Own Device” (BYOD) trend is causing headaches for the IT department and there is no stopping this trend. Due to the sensitive nature of company information often accessed on those devices, it has become a growing concern for small and large businesses alike.
]]>Tue, 14 Aug 2012 22:26:31 GMT708b1e91-e8e2-4b20-bb7a-ba068a3f8959
July is a month in which we celebrate our nation’s independence and we hope that you’ve had the chance to reflect on the many freedoms and blessing we enjoy as citizens of the United States. At Coalfire, we know full well that those freedoms have been paid for, at least in part by the America’s service men and women.
]]>Tue, 10 Jul 2012 09:42:08 GMT9f411474-3e74-4026-b20d-4ff63d0f3f69
This month VMware release an important document, the VMware Solution Guide for Payment Card Industry (PCI). It’s significant because it is the first document of its kind to map the PCI requirements – including those authored by the PCI SSC’s Virtualization SIG – to a commercially-available stack of virtualization solutions.
]]>Fri, 22 Jun 2012 15:41:09 GMT9431ad3a-b898-485f-ba41-3c7afd7db9be
The PCI council has updated the Point-to-Point encryption (P2PE) program requirements (PDF). The update impacts merchants, payment applications, point of sale vendors and service providers. As a participating organization of the PCI P2PE task force, providing input into the standard, I wanted to briefly explain how this affects the various PCI ecosystem participants.

The ultimate goal of the P2PE program is to reduce the PCI DSS scope that merchants experience by shifting the burden away from merchants toward solution providers who are providing validated P2PE solutions. Deploying validated P2PE solutions will simplify PCI DSS validation for merchants while reducing the risk of cardholder data breaches.
]]>Fri, 25 May 2012 14:18:37 GMT935426d3-0643-4ac2-8c10-3f988f3a30e1Over 60 executive level attendees came to the Omni Interlocken Resort in Broomfield, Colorado for the National Council of Higer Education Loan Programs (NCHELP) Spring convention and to hear from a panel of cloud experts on how the migration to cloud IT services could impact their business in the future.
]]>Fri, 25 May 2012 13:13:02 GMT19841c83-aa5f-45b1-b6f5-7842cb5f9e4d
We have reached a new milestone at Coalfire and have announced the recent acquisition of privately held Digital Resources Group (DRG) in Redwood City, California. We are excited about our latest venture as it consolidates our leadership position within the IT Governance Risk and Compliance (IT GRC) services industry. As we continue to grow, acquisitions such as this will help us gain new staff, clients, skills and additional geographical presence enabling Coalfire to continue to provide top-notch services.
]]>Thu, 10 May 2012 11:12:33 GMTd54f01e2-4290-4a84-976b-3cf34142135dOrganizations that work with, or want to work with, government agencies must manage to government compliance regulations. Almost everyone is familiar with the FISMA compliance standards, but with the announcement of FedRAMP, which provides a structure to manage compliance requirements for "a cloud first initiative" for government agencies and organizations working with them, there’s a new set of compliance requirements to adhere to. Or is there?
]]>Thu, 03 May 2012 17:47:32 GMT36f5f411-4693-4058-bdc4-d04a4da51f32
Having some security expert tell you that you should be creating strong passwords that are unique per account and change frequently is like your dentist telling you that you should floss morning, night and after consuming any dentally dangerous foods. The majority of us say, “yeah right”. The truth is that you really must do better than what the average person is doing today. In our penetration testing and forensics practices we constantly discover, usually very intelligent, people using the same weak password or PIN across every account without ever changing them.
]]>Wed, 02 May 2012 07:56:22 GMT91da8207-bdff-4a04-9c93-a73f421357d5
The PCI DSS has been around for years, and most PCI “pro’s” are familiar with the processes needed to validate compliance. However, insiders often forget that small changes to the guidelines can have a big impact on merchants.

One such change is upon us: MasterCard’s new validation guidelines for Level 2 merchants that are scheduled to take effect on June 30, 2012.
]]>Thu, 12 Apr 2012 14:10:09 GMT16c41687-2a1c-4692-b6d9-73cba30676caThe prolific rise in smartphones, tablets and other portable devices has greatly expanded the ways in which we interact with personal and professional services. The public can now singlehandedly use their mobile device to pay for things with the ease of flashing their cell phone. Unfortunately, this rapid expansion of convenience and service also expands the threats.
]]>Mon, 02 Apr 2012 07:02:36 GMT563a94e2-01c7-4926-8dd5-72513279b3a3
A few weeks ago, more than 35,000 healthcare IT professionals and 1,100 exhibitors converged on Las Vegas. Some were there to go shopping for “HIT” or health information technology; others were there to sell it. The IT professionals from across the healthcare spectrum were there to meet with each other and regulators, and stay abreast of the rapid technological changes in the healthcare industry. This was an overwhelming event; a flood of information. It’s been a couple of weeks. Here’s a few of the HIMSS12 highlights:
]]>Fri, 16 Mar 2012 12:22:37 GMT210f8055-e89e-4b65-a512-aeafa0906347
It was good to catch up with our customers and partners at RSA 2012 this week. Much of the buzz this year was around mobile devices and securing the cloud. We were glad to see innovative organizations introducing compliance-validated architectures based on these emerging technologies. One such organization was Hewlett-Packard, a Coalfire client and business partner.
]]>Fri, 02 Mar 2012 15:30:00 GMT7bc3932d-bab2-48b7-9856-7fde5117090b
HIMSS12 is in full production in Las Vegas this week. Over 40,000 healthcare IT professionals and service providers have descended upon a conference that will set the direction for a new wave to technology innovations for the healthcare industry. Almost every booth has a sign that extolls the benefits of cloud-based services delivered through mobile devices. The promise to shake the industry to its core is a common theme.
]]>Thu, 23 Feb 2012 13:24:32 GMTd846b07d-38d4-494e-87d8-983a7475d837
Healthcare organizations have been working towards HIPAA and HITECH compliance for a few years now. “Surprise” HIPAA compliance audits conducted by the OCR have begun and at Coalfire we’ve come across some gaps that have led organizations to fall short of their compliance initiatives.
]]>Mon, 20 Feb 2012 12:25:20 GMT1314b1e1-a919-4179-9f18-b74793c14ea0In today’s online world, the proliferation of usernames and passwords has resulted in a cottage industry springing up to meet the need to keep track of them in a secure manner. Software and hardware providers have developed a number of unique approaches to deal with this problem, but they all achieve the end goal of being a single credential that grants access to all your passwords.
]]>Sat, 18 Feb 2012 00:05:34 GMT88e409f7-ff3c-45a3-9f11-a70702b46501
January marks Data Privacy Month and on January 28th we celebrated Data Privacy Day. In the past year, we have seen an increase in the consumerization of IT and “Bring Your Own Device” (BYOD) in the enterprise. In honor of Data Privacy Day 2012, we have partnered with The Center for Identity at The University of Texas to host a seminar on Wednesday, February 1.
]]>Mon, 30 Jan 2012 15:51:48 GMTb56f5198-a988-4e2a-8846-c66ac4bdb688This month the GSA announced an IT security mandate for government prime- and sub-contractors that requires them to have a formalized IT security plan that includes periodic audits. Many government sub-contractors, large and small, will benefit from a third-party compliance program review so they can meet the intent of the rule but more importantly, they can promote an IT risk audit as a benefit to their customer base in their business development efforts. There are a large number of sub-contractors, including IT service providers, that will need to comply with this new mandate.
]]>Fri, 20 Jan 2012 16:13:29 GMTc276da06-83e6-4315-a49a-968f1de6f793
It’s been quite a season in the world of IT security as we move into 2012. As experts in our field, we are often asked to comment on current trends and recent stories. Take some time to check out what we have had to say recently:
]]>Tue, 17 Jan 2012 12:30:58 GMT70481050-47d8-48d4-b21e-351118b6078a
Since 2009, healthcare providers and other companies providing services to the healthcare industry have been mobilizing to take advantage of government incentives to implement Electronic Health Records (or EHRs). These incentives were established by federal law as a part of the HITECH Act of 2009, and are now administered by the Centers of Medicare and Medicaid Services (CMS).
]]>Mon, 09 Jan 2012 15:33:42 GMT8c5eadb7-86ef-449e-8d45-482f177cd596
In late October 2011, Coalfire participated in a day of IT audit training with about 35 bank examiners. As you would expect, we covered a lot of previously hot topics. The conversation changed as we started talking about the amount of fraud being realized by community banks and credit unions.
]]>Tue, 03 Jan 2012 12:59:00 GMTdd9cd4f3-a980-414e-915d-51ea544a25fe
A risk assessment provides your organization with a tool to determine how, where and how much to invest in controls and security over technology. It also serves to document the risk acceptance policy of your organization as the acceptable level of risk dictates the level of controls to be implemented. It is also a requisite part of legal and regulatory compliance for Sarbanes-Oxley, HIPAA and PCI, among others.
]]>Thu, 08 Dec 2011 14:42:53 GMTda1899e0-be7d-4baf-b6f7-5396ff44ce43
In the spirit of the Holiday Season, Coalfire has made a significant contribution to GivingFirst.org in the form of free Penetration Testing services. GivingFirst is a Denver-based community foundation whose mission is “to improve quality of life by increasing community generosity and involvement.”
]]>Tue, 06 Dec 2011 10:20:02 GMTd3ef88ec-d13c-438d-8c02-6b6671878fbaSo you’ve finally completed your Incident Response Plan. You’ve named your team, defined roles, documented standard operating procedures, and establishing escalation processes. Heck, you’ve even got training material. So now what?
]]>Mon, 07 Nov 2011 18:45:33 GMT170cde84-d126-4428-864f-50bfc6eff171
Every company has vulnerabilities and must learn to protect themselves from fast-moving cyber threats. Below are a few tips to keep in mind as you examine your network security:
]]>Wed, 26 Oct 2011 19:45:50 GMT6074b0e6-a0a8-44bb-b79e-4868d39c0c8d
As consumers of messaging services, particularly email, we have become addicted to attachments. This habit has become an easy avenue for mounting cyber-attacks against an organization. In the 2010 Verizon Data Breach Investigations Report, conducted in cooperation with the United States Secret Service, 38 percent of breaches utilized some form of malware and 28 percent employed social tactics.
]]>Tue, 11 Oct 2011 14:56:49 GMTc2245bfa-b048-4815-9758-f576fa3f477eRecently, Gartner Research released two separate research reports on retailer PCI DSS compliance progress, trends and strategies. These reports are based on a survey of 77 merchants of varying sizes and covers a wide range of topics, including compliance status, spending and the incidence of assessed fines and penalties.]]>Tue, 06 Sep 2011 16:11:48 GMT4850f959-b78a-4017-b26b-3640e8aedc91Within the past two weeks there have been several reports on the increase in email spam, which can be directly correlated to an increase in phishing schemes and malware attacks. These attacks are frequently being delivered under the guise of legitimate business: they come in the form of shipment confirmations, credit card statements, and IRS alerts. They all request swift action to click a link or to read an attachment to address some pressing issue.
]]>Thu, 01 Sep 2011 16:11:37 GMTa1edb49c-d746-4c99-9a12-1131b59bee73
We are proud to announce the election of Larry Jones to our board of directors. Larry is the former CEO of StarTek, Activant, Message Media and NeoData, and is a seasoned veteran in technology services. He also serves on the board of Comverge, Inc., a publicly traded provider of smart grid, demand management and energy efficiency solutions.]]>Mon, 29 Aug 2011 16:25:00 GMT3aca903e-0c7e-4611-b08f-424d8dfbae6d
“Tokenization” is one of the best techniques to reduce the risk of credit card data loss. Basically, it is the process of substituting sensitive data with other values not considered sensitive. By doing this, tokenization technology essentially removes anything of value from the data stream, and, after all, what is not there cannot get stolen. This technique can be used with sensitive data of all kinds including financial transactions and medical records.
]]>Fri, 19 Aug 2011 16:37:48 GMTdef99e5a-1692-4243-a051-74a139364973On September 14, we will be partnering with InfraGard’s New York City Alliance to host a one-day Cyber Defense Summit. This year we have seen a drastic increase in data breaches. As these hacks have become daily occurrences, enterprises must learn how to protect their data while simultaneously guarding their corporate reputation.]]>Tue, 16 Aug 2011 16:44:18 GMT903ecf51-c781-4a3f-95f9-fdb04dd57ac3
A recent article in Healthcare Security Info highlights that computer viruses can cause security breaches, that can then in turn compromise health care data and potentially violate the HIPAA and HITECH Act regulations. Beth Israel Deaconess Medical Center in Boston had to notify more than 2,000 people that a computer virus sent data, including medical record numbers, names, etc. to an undisclosed location.
]]>Tue, 09 Aug 2011 16:48:55 GMT6fd16722-5095-41b7-8bfe-13530dd40d3d
A key question faced by many organizations in defining the role and responsibilities of the security organization, is where to align the most senior information security executive, (typically referred to as the Chief Information Security Officer or CISO). To answer this question it is important to clearly define the responsibilities of this position and place them in appropriate context.
]]>Wed, 06 Jul 2011 16:53:21 GMT31be2422-8e25-42b5-86e0-96ee760352e3
Merchants spend a lot of time and money developing IT controls programs to protect consumer credit card data. Through our work with thousands of retailers, we’ve learned that one of the best ways to contain costs and reduce risk is to keep cardholder data out of as many systems and business processes as possible. In our line of business, that’s called ‘reducing PCI scope’, since systems and processes that don’t store, process or transmit cardholder data are excluded from the controls required by the PCI DSS.
]]>Thu, 23 Jun 2011 16:58:54 GMTdba06d15-e5f4-4f92-a1ce-3e7911ca26de
It’s been quite a week in the world of IT security, and as experts in our field, we are often asked to comment on current trends and recent stories. Take some time to check out what we had to say recently:
]]>Wed, 15 Jun 2011 17:02:58 GMT9bce4d22-d77c-4756-9ba8-9cea11baf91b
I am pleased to announce that our Dallas office is growing by leaps and bounds. Leading the charge is Kurt Hagerman, the newly appointed managing director. Kurt will serve more than 60 clients in the Southwest region and oversee Coalfire’s strategic vision while building new client relationships for the company. Also joining the Dallas office are Rick Link as an IT audit director, Adam Bush as a senior auditor and Justin Baker as a regional sales manager.
]]>Tue, 14 Jun 2011 17:25:19 GMT127a7772-12d0-457e-a1bd-ed9effdf033d
In a previous post titled Is It Safe to Speak? Protection for Telephone-Based Payment Card Data, I commented on the PCI SSC new requirements for call center operations and recording systems.

Call center security has been a hot topic for a long time. How safe is the information that is given over the phone? Especially in the healthcare industry, patient privacy is paramount.

]]>Thu, 09 Jun 2011 00:08:34 GMT2d3246cb-d5ef-4f2c-a62b-67a2d9f74445
In 1996, the Healthcare Insurance Portability and Accountability Act (HIPAA) opened the door to increased exchanges of healthcare information in an effort to improve care and reduce costs. The Act included new provisions for protected health information (PHI). Since there are only a few limited reviews and enforcement efforts, the effectiveness of the implementations have remained open.
]]>Tue, 24 May 2011 00:16:32 GMT0c81925b-7e41-4c10-9c67-95b9cf2d96c3New York office.]]>Wed, 11 May 2011 00:38:15 GMTb9f0178f-a1c9-4e68-99a7-ee3729dba49c
Botnets have become one of the most dangerous cyber threats affecting businesses today. Botnets criminals focus on the same things as most criminals: money and information. That is why these criminals are targeting payroll, human resources departments, C-level executives and senior strategists.
]]>Mon, 09 May 2011 00:43:45 GMT0c78753f-5db1-474a-a089-7b55a4b6d209
In the wake of Amazon’s Web Service disruption over the past few days we think it is important to look at the case a little closer.
]]>Tue, 26 Apr 2011 00:53:32 GMT1a5ad5de-2c61-4488-bb35-40026994006e
The power and popularity of consumer mobile computing is changing faster then you can say iFart (the #1 downloaded app worldwide). Commercial entities are rapidly adopting mobile-based applications for retail sales floors, restaurants and dining rooms, distributed mobile banking, and more.
]]>Mon, 18 Apr 2011 11:03:28 GMT66ca9f1c-7ff5-4a69-8a1e-6f14352ef272
Recently, the PCI Security Standards Council released educational resource requirements for securing cardholder data in audio recordings. The PCI SSC has been focusing on call center operations and recording systems of merchants. The need to provide a secure system to protect cardholder data is at an all-time high for these call centers.
]]>Tue, 12 Apr 2011 11:06:16 GMT6623aec4-9b57-46ce-91f2-58f4a4634c2a
Do you know how to ensure reliability and resiliency in cloud and SaaS environments? Join leaders from within the IT outsourcing risk management industry at the Shared Assessments Summit 2011 in Boston on March 29 and 30.
Coalfire is participating in this summit because the value of managing risk for companies today cannot be underestimated.]]>Fri, 25 Mar 2011 11:10:40 GMT229411c3-e246-4a72-97ef-d4bde581395c“The Cloud” is a hot topic right now. Yet most people can’t even define what “the cloud” really is. As I talk to more companies, who are considering the move, they all have two main concerns: security and compliance. Of course, security and compliance are key when it comes to cloud computing, but the questions you really need to be asking is not, “Will I be secure and compliant if I move to the cloud?” but rather, “What do I need to do to be secure and compliant when I move to the cloud?”
]]>Mon, 14 Mar 2011 11:13:52 GMTf18bd823-465d-41ab-836a-0a1eda23b1ad
Over the past ten years rapid change and an evolving threat landscape has better prepared Coalfire to defend our clients against known risks. Not surprisingly, much of the progress is due to compliance-related investments. As we look towards the next ten years, we see a proactive risk management framework being set in place.
]]>Mon, 07 Mar 2011 11:16:35 GMTb8eebb2e-02a2-45c4-88f0-b65a049dc5fd
People often ask me what defines a successful company. At Coalfire Systems, it’s having a clear roadmap of services that clients need and want, which in turn drives growth and expansion. I am pleased to announce that Coalfire Systems has received an investment of $5 million dollars from Baird Venture Partners.
]]>Thu, 17 Feb 2011 11:21:03 GMT